From c64388e2ceb1c657bd21e1021cebdee385eea64a Mon Sep 17 00:00:00 2001 From: Terrance DeJesus Date: Mon, 20 Jun 2022 16:48:05 -0400 Subject: [PATCH 1/2] updating pre-existing pre-built detection rule security docs with newly generated --- .../prebuilt-rules-changelog.asciidoc | 37 +- .../prebuilt-rules-reference.asciidoc | 402 +- .../prebuilt-rules/rule-desc-index.asciidoc | 38 +- ...l-process-id-or-lock-file-created.asciidoc | 91 + ...ured-with-never-expiring-password.asciidoc | 60 +- ...covery-command-via-system-account.asciidoc | 48 +- ...-hidden-file-attribute-via-attrib.asciidoc | 7 +- .../adfind-command-activity.asciidoc | 26 +- ...insdholder-sdprop-exclusion-added.asciidoc | 27 +- .../adobe-hijack-persistence.asciidoc | 37 +- .../anomalous-kernel-module-activity.asciidoc | 68 - ...anomalous-linux-compiler-activity.asciidoc | 9 +- ...us-process-for-a-linux-population.asciidoc | 9 +- ...-process-for-a-windows-population.asciidoc | 9 +- ...nomalous-windows-process-creation.asciidoc | 9 +- ...-added-to-google-workspace-domain.asciidoc | 7 +- .../attempt-to-disable-gatekeeper.asciidoc | 13 +- ...orce-a-microsoft-365-user-account.asciidoc | 22 +- ...s-iam-password-recovery-requested.asciidoc | 9 +- .../aws-redshift-cluster-creation.asciidoc | 75 + .../aws-route-table-created.asciidoc | 9 +- ...s-route-table-modified-or-deleted.asciidoc | 9 +- ...uted-from-shared-memory-directory.asciidoc | 70 + .../clearing-windows-console-history.asciidoc | 49 +- .../clearing-windows-event-logs.asciidoc | 49 +- ...-execution-via-solarwinds-process.asciidoc | 9 +- .../component-object-model-hijacking.asciidoc | 106 +- ...wned-by-suspicious-parent-process.asciidoc | 65 +- ...n-to-commonly-abused-web-services.asciidoc | 72 +- ...on-of-a-hidden-local-user-account.asciidoc | 21 +- ...f-domain-backup-dpapi-private-key.asciidoc | 9 +- ...isition-via-registry-hive-dumping.asciidoc | 29 +- ...ting-backup-catalogs-with-wbadmin.asciidoc | 25 +- ...ecurity-logs-using-built-in-tools.asciidoc | 45 +- ...-windows-firewall-rules-via-netsh.asciidoc | 34 +- ...-security-settings-via-powershell.asciidoc | 54 +- ...-google-workspace-trusted-domains.asciidoc | 7 +- .../elastic-agent-service-terminated.asciidoc | 82 + ...nd-rules-creation-or-modification.asciidoc | 17 +- ...-host-network-discovery-via-netsh.asciidoc | 46 +- ...ncrypting-files-with-winrar-or-7z.asciidoc | 26 +- ...eration-of-administrator-accounts.asciidoc | 50 +- ...rivileged-local-groups-membership.asciidoc | 74 +- ...n-or-modified-by-microsoft-office.asciidoc | 74 +- ...written-or-modified-by-pdf-reader.asciidoc | 75 +- ...g-exchange-mailbox-via-powershell.asciidoc | 57 +- ...p-lookup-from-non-browser-process.asciidoc | 64 +- .../file-and-directory-discovery.asciidoc | 53 +- ...ace-admin-role-assigned-to-a-user.asciidoc | 7 +- ...gle-workspace-admin-role-deletion.asciidoc | 7 +- ...main-wide-delegation-of-authority.asciidoc | 7 +- ...rkspace-custom-admin-role-created.asciidoc | 7 +- ...orkspace-mfa-enforcement-disabled.asciidoc | 7 +- ...orkspace-password-policy-modified.asciidoc | 7 +- .../google-workspace-role-modified.asciidoc | 7 +- ...licy-abuse-for-privilege-addition.asciidoc | 11 +- ...ocess-and-or-service-terminations.asciidoc | 24 +- .../rule-details/hosts-file-modified.asciidoc | 7 +- .../hping-process-activity.asciidoc | 20 +- ...windows-update-auto-update-client.asciidoc | 7 +- ...ctive-terminal-spawned-via-python.asciidoc | 7 +- ...-authentication-disabled-for-user.asciidoc | 24 +- ...eros-traffic-from-unusual-process.asciidoc | 38 +- .../kubernetes-user-exec-into-pod.asciidoc | 78 + .../lateral-tool-transfer.asciidoc | 105 - ...-via-apt-apt-get-changelog-escape.asciidoc | 66 - ...d-shell-breakout-via-awk-commands.asciidoc | 65 - ...reakout-via-busybox-shell-evasion.asciidoc | 64 - ...reakout-via-c89-c99-shell-evasion.asciidoc | 67 - ...eakout-via-cpulimit-shell-evasion.asciidoc | 65 - ...-breakout-via-crash-shell-evasion.asciidoc | 63 - ...ll-breakout-via-env-shell-evasion.asciidoc | 64 - ...-breakout-via-flock-shell-evasion.asciidoc | 65 - ...-shell-breakout-via-linux-binarys.asciidoc | 189 + ...l-breakout-via-the-expect-command.asciidoc | 66 - ...ell-breakout-via-the-find-command.asciidoc | 65 - ...hell-breakout-via-the-gcc-command.asciidoc | 66 - ...ll-breakout-via-the-mysql-command.asciidoc | 65 - ...hell-breakout-via-the-ssh-command.asciidoc | 67 - ...shell-breakout-via-the-vi-command.asciidoc | 65 - .../lsass-memory-dump-creation.asciidoc | 7 +- .../lsass-memory-dump-handle-access.asciidoc | 46 +- ...for-google-workspace-organization.asciidoc | 7 +- ...365-inbox-forwarding-rule-created.asciidoc | 23 +- ...rosoft-windows-defender-tampering.asciidoc | 54 +- ...mimikatz-memssp-log-file-detected.asciidoc | 33 +- ...cation-of-amsienable-registry-key.asciidoc | 43 +- ...odification-of-boot-configuration.asciidoc | 25 +- ...tion-of-wdigest-security-provider.asciidoc | 44 +- ...o-security-registry-modifications.asciidoc | 34 +- .../network-connection-via-certutil.asciidoc | 38 +- .../peripheral-device-discovery.asciidoc | 50 +- ...-scripts-in-the-startup-directory.asciidoc | 47 +- .../port-forwarding-rule-addition.asciidoc | 35 +- ...tial-credential-access-via-dcsync.asciidoc | 21 +- ...ential-dns-tunneling-via-nslookup.asciidoc | 29 +- ...invoke-mimikatz-powershell-script.asciidoc | 152 + ...teral-tool-transfer-via-smb-share.asciidoc | 162 + ...tential-local-ntlm-relay-via-http.asciidoc | 70 + ...ication-of-accessibility-binaries.asciidoc | 36 +- ...ng-of-microsoft-365-user-accounts.asciidoc | 17 +- ...-bypass-via-localhost-secure-copy.asciidoc | 9 +- ...alation-via-installerfiletakeover.asciidoc | 38 +- ...ia-local-kerberos-relay-over-ldap.asciidoc | 81 + ...-process-injection-via-powershell.asciidoc | 34 +- ...te-credential-access-via-registry.asciidoc | 35 +- ...remote-desktop-tunneling-detected.asciidoc | 28 +- ...owershell-kerberos-ticket-request.asciidoc | 45 +- .../powershell-keylogging-script.asciidoc | 36 +- .../powershell-minidump-script.asciidoc | 34 +- .../powershell-psreflect-script.asciidoc | 46 +- ...ell-script-block-logging-disabled.asciidoc | 30 +- ...ery-related-windows-api-functions.asciidoc | 32 +- ...us-payload-encoded-and-compressed.asciidoc | 94 +- ...t-with-audio-capture-capabilities.asciidoc | 36 +- ...ript-with-screenshot-capabilities.asciidoc | 34 +- ...-started-from-process-id-pid-file.asciidoc | 84 + .../rdp-enabled-via-registry.asciidoc | 25 +- ...esktop-protocol-from-the-internet.asciidoc | 7 +- ...mputer-account-dnshostname-update.asciidoc | 73 + ...bled-in-windows-firewall-by-netsh.asciidoc | 22 +- .../remote-file-copy-via-teamviewer.asciidoc | 32 +- ...oad-via-desktopimgdownldr-utility.asciidoc | 36 +- ...remote-file-download-via-mpcmdrun.asciidoc | 36 +- ...mote-file-download-via-powershell.asciidoc | 36 +- ...e-download-via-script-interpreter.asciidoc | 45 +- .../remote-system-discovery-commands.asciidoc | 64 +- ...d-task-execution-at-scale-via-gpo.asciidoc | 20 +- ...or-saved-credentials-via-vaultcmd.asciidoc | 9 +- ...ity-software-discovery-using-wmic.asciidoc | 46 +- ...ationprivilege-assigned-to-a-user.asciidoc | 17 +- ...via-local-kerberos-authentication.asciidoc | 85 + ...xy-execution-via-ms-work-folders.asciidoc} | 14 +- ...authorized-keys-file-modification.asciidoc | 27 +- ...-persistence-via-unsigned-process.asciidoc | 44 +- ...ript-added-to-group-policy-object.asciidoc | 21 +- ...-or-run-key-registry-modification.asciidoc | 7 +- ...rsistence-by-a-suspicious-process.asciidoc | 44 +- .../strace-process-activity.asciidoc | 22 +- ...urst-command-and-control-activity.asciidoc | 43 +- ...us-.net-reflection-via-powershell.asciidoc | 94 +- .../suspicious-certutil-commands.asciidoc | 7 +- ...-crontab-creation-or-modification.asciidoc | 64 + ...rsistence-or-privilege-escalation.asciidoc | 9 +- ...soft-diagnostics-wizard-execution.asciidoc | 89 + ...uspicious-ms-office-child-process.asciidoc | 53 +- ...etwork-connection-attempt-by-root.asciidoc | 97 + ...spicious-pdf-reader-child-process.asciidoc | 64 +- ...able-encoded-in-powershell-script.asciidoc | 49 +- ...cious-powershell-engine-imageload.asciidoc | 79 +- .../suspicious-powershell-script.asciidoc | 9 +- ...cious-print-spooler-file-deletion.asciidoc | 8 +- .../suspicious-process-from-conhost.asciidoc | 64 +- ...stry-access-via-sebackupprivilege.asciidoc | 11 +- ...spicious-solarwinds-child-process.asciidoc | 9 +- ...startup-shell-folder-modification.asciidoc | 29 +- .../svchost-spawning-cmd.asciidoc | 7 +- ...bolic-link-to-shadow-copy-created.asciidoc | 22 +- .../system-shells-via-services.asciidoc | 23 +- ...ring-of-bash-command-line-history.asciidoc | 39 +- .../telnet-port-activity.asciidoc | 7 +- ...es-deleted-via-unexpected-process.asciidoc | 28 +- ...ommon-registry-persistence-change.asciidoc | 7 +- .../unusual-linux-network-activity.asciidoc | 9 +- ...inux-network-connection-discovery.asciidoc | 9 +- ...usual-linux-network-port-activity.asciidoc | 9 +- .../unusual-linux-network-service.asciidoc | 60 - ...cess-calling-the-metadata-service.asciidoc | 9 +- ...-linux-process-discovery-activity.asciidoc | 9 +- ...em-information-discovery-activity.asciidoc | 9 +- ...m-network-configuration-discovery.asciidoc | 9 +- ...-owner-or-user-discovery-activity.asciidoc | 9 +- ...user-calling-the-metadata-service.asciidoc | 9 +- .../unusual-linux-username.asciidoc | 9 +- .../unusual-linux-web-activity.asciidoc | 60 - .../unusual-login-activity.asciidoc | 12 +- ...usual-print-spooler-child-process.asciidoc | 8 +- .../unusual-process-execution-temp.asciidoc | 20 +- .../unusual-process-for-a-linux-host.asciidoc | 9 +- ...nusual-process-for-a-windows-host.asciidoc | 9 +- .../unusual-sudo-activity.asciidoc | 9 +- .../unusual-windows-network-activity.asciidoc | 9 +- .../unusual-windows-path-activity.asciidoc | 9 +- ...cess-calling-the-metadata-service.asciidoc | 9 +- .../unusual-windows-remote-user.asciidoc | 9 +- .../unusual-windows-service.asciidoc | 9 +- ...user-calling-the-metadata-service.asciidoc | 9 +- ...user-privilege-elevation-activity.asciidoc | 9 +- .../unusual-windows-username.asciidoc | 9 +- .../user-account-creation.asciidoc | 19 +- ...-account-exposed-to-kerberoasting.asciidoc | 25 +- ...vileged-group-in-active-directory.asciidoc | 14 +- ...y-deleted-or-resized-via-vssadmin.asciidoc | 52 +- ...adow-copy-deletion-via-powershell.asciidoc | 45 +- ...ume-shadow-copy-deletion-via-wmic.asciidoc | 45 +- ...e-padding-in-process-command-line.asciidoc | 19 +- .../whoami-process-activity.asciidoc | 50 +- ...isabled-via-registry-modification.asciidoc | 51 +- ...r-exclusions-added-via-powershell.asciidoc | 32 +- .../windows-event-logs-cleared.asciidoc | 53 +- ...-firewall-disabled-via-powershell.asciidoc | 47 +- .../windows-network-enumeration.asciidoc | 46 +- ...gistry-file-creation-in-smb-share.asciidoc | 30 +- ...ndows-script-executing-powershell.asciidoc | 40 +- prebuilt-rules-scripts/changelog-entries.yml | 1 + .../final-files/final-rule-file-8.3.0.json | 57894 ++++++++++++++++ .../gen-files/json-from-docs-8.3.0.json | 36572 ++++++++++ .../8.3.0-prebuilt-rule.json | 36572 ++++++++++ 208 files changed, 136676 insertions(+), 2347 deletions(-) create mode 100644 docs/detections/prebuilt-rules/rule-details/abnormal-process-id-or-lock-file-created.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/anomalous-kernel-module-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-redshift-cluster-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/binary-executed-from-shared-memory-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/elastic-agent-service-terminated.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kubernetes-user-exec-into-pod.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/lateral-tool-transfer.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-apt-apt-get-changelog-escape.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-awk-commands.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-busybox-shell-evasion.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-c89-c99-shell-evasion.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-cpulimit-shell-evasion.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-crash-shell-evasion.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-env-shell-evasion.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-flock-shell-evasion.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-linux-binarys.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-the-expect-command.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-the-find-command.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-the-gcc-command.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-the-mysql-command.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-the-ssh-command.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-the-vi-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-invoke-mimikatz-powershell-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-lateral-tool-transfer-via-smb-share.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-local-ntlm-relay-via-http.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-local-kerberos-relay-over-ldap.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/process-started-from-process-id-pid-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/remote-computer-account-dnshostname-update.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/service-creation-via-local-kerberos-authentication.asciidoc rename docs/detections/prebuilt-rules/rule-details/{signed-proxy-execution-via-ms-workfolders.asciidoc => signed-proxy-execution-via-ms-work-folders.asciidoc} (91%) create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-crontab-creation-or-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-diagnostics-wizard-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-network-connection-attempt-by-root.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-linux-network-service.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-linux-web-activity.asciidoc create mode 100644 prebuilt-rules-scripts/diff-files/final-files/final-rule-file-8.3.0.json create mode 100644 prebuilt-rules-scripts/diff-files/gen-files/json-from-docs-8.3.0.json create mode 100644 prebuilt-rules-scripts/orig-rules-json-files/8.3.0-prebuilt-rule.json diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc index 438d9b62d9..a6e4f739c0 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc @@ -5,6 +5,35 @@ The following lists prebuilt rule updates per release. Only rules with significant modifications to their query or scope are listed. For detailed information about a rule's changes, see the rule's description page. +[float] +=== 8.3.0 + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + [float] === 8.2.0 @@ -150,8 +179,6 @@ information about a rule's changes, see the rule's description page. <> -<> - <> <> @@ -160,6 +187,8 @@ information about a rule's changes, see the rule's description page. <> +<> + <> <> @@ -207,8 +236,6 @@ information about a rule's changes, see the rule's description page. <> -<> - <> <> @@ -223,6 +250,8 @@ information about a rule's changes, see the rule's description page. <> +<> + <> <> diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index 360e5a07e8..d14b04400c 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -72,7 +72,7 @@ and their rule type is `machine_learning`. |<> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |6 <> -|<> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |5 <> +|<> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |6 <> |<> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |6 <> @@ -94,15 +94,17 @@ and their rule type is `machine_learning`. |<> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.16.0 |3 <> +|<> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |8.3.0 |1 + |<> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |5 <> |<> |Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |1 |<> |Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |1 -|<> |Identifies when an AWS Route Table has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.16.0 |2 <> +|<> |Identifies when an AWS Route Table has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.16.0 |3 <> -|<> |Identifies when an AWS Route Table has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.16.0 |2 <> +|<> |Identifies when an AWS Route Table has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.16.0 |3 <> |<> |Identifies when a Route53 private hosted zone has been associated with VPC. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.16.0 |1 @@ -120,31 +122,33 @@ and their rule type is `machine_learning`. |<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |8 <> +|<> |Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Elastic] [Host] [Linux] [Threat Detection] [Execution] [BPFDoor] |8.3.0 |1 + |<> |Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. |[Elastic] [Network] [Threat Detection] [Lateral Movement] |7.10.0 |7 <> |<> |Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access] |7.12.0 |2 <> |<> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access] |7.10.0 |6 <> -|<> |Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] |7.7.0 |11 <> +|<> |Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] [Active Directory] |8.2.0 |2 <> -|<> |Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.0.0 |3 <> +|<> |Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] |7.7.0 |12 <> -|<> |Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] [Active Directory] |8.2.0 |1 +|<> |Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.0.0 |3 <> -|<> |This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] |7.11.0 |7 <> +|<> |This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] |7.11.0 |8 <> -|<