-
Notifications
You must be signed in to change notification settings - Fork 8.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
396 additions
and
3 deletions.
There are no files selected for viewing
59 changes: 59 additions & 0 deletions
59
...engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
{ | ||
"author": [ | ||
"Elastic" | ||
], | ||
"description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", | ||
"false_positives": [ | ||
"Planned Windows Defender configuration changes." | ||
], | ||
"from": "now-9m", | ||
"index": [ | ||
"winlogbeat-*", | ||
"logs-endpoint.events.*", | ||
"logs-windows.*" | ||
], | ||
"language": "eql", | ||
"license": "Elastic License v2", | ||
"name": "Disabling Windows Defender Security Settings via PowerShell", | ||
"query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", | ||
"references": [ | ||
"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps" | ||
], | ||
"risk_score": 47, | ||
"rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Host", | ||
"Windows", | ||
"Threat Detection", | ||
"Defense Evasion" | ||
], | ||
"threat": [ | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0005", | ||
"name": "Defense Evasion", | ||
"reference": "https://attack.mitre.org/tactics/TA0005/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1562", | ||
"name": "Impair Defenses", | ||
"reference": "https://attack.mitre.org/techniques/T1562/", | ||
"subtechnique": [ | ||
{ | ||
"id": "T1562.001", | ||
"name": "Disable or Modify Tools", | ||
"reference": "https://attack.mitre.org/techniques/T1562/001/" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
], | ||
"timestamp_override": "event.ingested", | ||
"type": "eql", | ||
"version": 1 | ||
} |
56 changes: 56 additions & 0 deletions
56
...n_engine/rules/prepackaged_rules/defense_evasion_enable_network_discovery_with_netsh.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
{ | ||
"author": [ | ||
"Elastic" | ||
], | ||
"description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", | ||
"false_positives": [ | ||
"Host Windows Firewall planned system administration changes." | ||
], | ||
"from": "now-9m", | ||
"index": [ | ||
"winlogbeat-*", | ||
"logs-endpoint.events.*", | ||
"logs-windows.*" | ||
], | ||
"language": "eql", | ||
"license": "Elastic License v2", | ||
"name": "Enable Host Network Discovery via Netsh", | ||
"query": "process where event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", | ||
"risk_score": 47, | ||
"rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Host", | ||
"Windows", | ||
"Threat Detection", | ||
"Defense Evasion" | ||
], | ||
"threat": [ | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0005", | ||
"name": "Defense Evasion", | ||
"reference": "https://attack.mitre.org/tactics/TA0005/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1562", | ||
"name": "Impair Defenses", | ||
"reference": "https://attack.mitre.org/techniques/T1562/", | ||
"subtechnique": [ | ||
{ | ||
"id": "T1562.001", | ||
"name": "Disable or Modify Tools", | ||
"reference": "https://attack.mitre.org/techniques/T1562/001/" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
], | ||
"timestamp_override": "event.ingested", | ||
"type": "eql", | ||
"version": 1 | ||
} |
59 changes: 59 additions & 0 deletions
59
...tion_engine/rules/prepackaged_rules/defense_evasion_execution_windefend_unusual_path.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
{ | ||
"author": [ | ||
"Elastic" | ||
], | ||
"description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", | ||
"false_positives": [ | ||
"Microsoft Antimalware Service Executable installed on non default installation path." | ||
], | ||
"from": "now-9m", | ||
"index": [ | ||
"winlogbeat-*", | ||
"logs-endpoint.events.*", | ||
"logs-windows.*" | ||
], | ||
"language": "eql", | ||
"license": "Elastic License v2", | ||
"name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", | ||
"query": "process where event.type == \"start\" and\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\"))\n", | ||
"references": [ | ||
"https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" | ||
], | ||
"risk_score": 73, | ||
"rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", | ||
"severity": "high", | ||
"tags": [ | ||
"Elastic", | ||
"Host", | ||
"Windows", | ||
"Threat Detection", | ||
"Defense Evasion" | ||
], | ||
"threat": [ | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0005", | ||
"name": "Defense Evasion", | ||
"reference": "https://attack.mitre.org/tactics/TA0005/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1574", | ||
"name": "Hijack Execution Flow", | ||
"reference": "https://attack.mitre.org/techniques/T1574/", | ||
"subtechnique": [ | ||
{ | ||
"id": "T1574.002", | ||
"name": "DLL Side-Loading", | ||
"reference": "https://attack.mitre.org/techniques/T1574/002/" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
], | ||
"timestamp_override": "event.ingested", | ||
"type": "eql", | ||
"version": 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50 changes: 50 additions & 0 deletions
50
...es/prepackaged_rules/privilege_escalation_printspooler_malicious_driver_file_changes.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
{ | ||
"author": [ | ||
"Elastic" | ||
], | ||
"description": "Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.", | ||
"from": "now-9m", | ||
"index": [ | ||
"winlogbeat-*", | ||
"logs-endpoint.events.*", | ||
"logs-windows.*" | ||
], | ||
"language": "eql", | ||
"license": "Elastic License v2", | ||
"name": "Potential PrintNightmare File Modification", | ||
"query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nfile where process.name : \"spoolsv.exe\" and \n file.name : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*\"\n", | ||
"references": [ | ||
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", | ||
"https://github.com/afwu/PrintNightmare" | ||
], | ||
"risk_score": 73, | ||
"rule_id": "5e87f165-45c2-4b80-bfa5-52822552c997", | ||
"severity": "high", | ||
"tags": [ | ||
"Elastic", | ||
"Host", | ||
"Windows", | ||
"Threat Detection", | ||
"Privilege Escalation" | ||
], | ||
"threat": [ | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0004", | ||
"name": "Privilege Escalation", | ||
"reference": "https://attack.mitre.org/tactics/TA0004/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1068", | ||
"name": "Exploitation for Privilege Escalation", | ||
"reference": "https://attack.mitre.org/techniques/T1068/" | ||
} | ||
] | ||
} | ||
], | ||
"timestamp_override": "event.ingested", | ||
"type": "eql", | ||
"version": 1 | ||
} |
49 changes: 49 additions & 0 deletions
49
.../prepackaged_rules/privilege_escalation_printspooler_malicious_registry_modification.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
{ | ||
"author": [ | ||
"Elastic" | ||
], | ||
"description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.", | ||
"from": "now-9m", | ||
"index": [ | ||
"logs-endpoint.events.*", | ||
"logs-windows.*" | ||
], | ||
"language": "eql", | ||
"license": "Elastic License v2", | ||
"name": "Potential PrintNightmare Exploit Registry Modification", | ||
"query": "/* This rule is not compatible with Sysmon due to schema issues */\n\nregistry where process.name : \"spoolsv.exe\" and\n (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\mimikatz*\\\\Data File\" or\n (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\*\\\\Configuration File\" and\n registry.data.strings : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\")))\n", | ||
"references": [ | ||
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", | ||
"https://github.com/afwu/PrintNightmare" | ||
], | ||
"risk_score": 73, | ||
"rule_id": "6506c9fd-229e-4722-8f0f-69be759afd2a", | ||
"severity": "high", | ||
"tags": [ | ||
"Elastic", | ||
"Host", | ||
"Windows", | ||
"Threat Detection", | ||
"Privilege Escalation" | ||
], | ||
"threat": [ | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0004", | ||
"name": "Privilege Escalation", | ||
"reference": "https://attack.mitre.org/tactics/TA0004/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1068", | ||
"name": "Exploitation for Privilege Escalation", | ||
"reference": "https://attack.mitre.org/techniques/T1068/" | ||
} | ||
] | ||
} | ||
], | ||
"timestamp_override": "event.ingested", | ||
"type": "eql", | ||
"version": 1 | ||
} |
53 changes: 53 additions & 0 deletions
53
...e/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_file_deletion.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
{ | ||
"author": [ | ||
"Elastic" | ||
], | ||
"description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", | ||
"false_positives": [ | ||
"Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information." | ||
], | ||
"from": "now-9m", | ||
"index": [ | ||
"winlogbeat-*", | ||
"logs-endpoint.events.*", | ||
"logs-windows.*" | ||
], | ||
"language": "eql", | ||
"license": "Elastic License v2", | ||
"name": "Suspicious Print Spooler File Deletion", | ||
"query": "file where event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", | ||
"references": [ | ||
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", | ||
"https://github.com/afwu/PrintNightmare" | ||
], | ||
"risk_score": 47, | ||
"rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Host", | ||
"Windows", | ||
"Threat Detection", | ||
"Privilege Escalation" | ||
], | ||
"threat": [ | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0004", | ||
"name": "Privilege Escalation", | ||
"reference": "https://attack.mitre.org/tactics/TA0004/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1068", | ||
"name": "Exploitation for Privilege Escalation", | ||
"reference": "https://attack.mitre.org/techniques/T1068/" | ||
} | ||
] | ||
} | ||
], | ||
"timestamp_override": "event.ingested", | ||
"type": "eql", | ||
"version": 1 | ||
} |
Oops, something went wrong.