diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts index cd6d899133bff..b454501e9f563 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -69,57 +69,56 @@ import rule59 from './linux_nping_activity.json'; import rule60 from './linux_process_started_in_temp_directory.json'; import rule61 from './linux_shell_activity_by_web_server.json'; import rule62 from './linux_socat_activity.json'; -import rule63 from './linux_ssh_forwarding.json'; -import rule64 from './linux_strace_activity.json'; -import rule65 from './linux_tcpdump_activity.json'; -import rule66 from './linux_whoami_commmand.json'; -import rule67 from './network_dns_directly_to_the_internet.json'; -import rule68 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule69 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule70 from './network_nat_traversal_port_activity.json'; -import rule71 from './network_port_26_activity.json'; -import rule72 from './network_port_8000_activity_to_the_internet.json'; -import rule73 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule74 from './network_proxy_port_activity_to_the_internet.json'; -import rule75 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule76 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule77 from './network_rpc_remote_procedure_call_from_the_internet.json'; -import rule78 from './network_rpc_remote_procedure_call_to_the_internet.json'; -import rule79 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule80 from './network_smtp_to_the_internet.json'; -import rule81 from './network_sql_server_port_activity_to_the_internet.json'; -import rule82 from './network_ssh_secure_shell_from_the_internet.json'; -import rule83 from './network_ssh_secure_shell_to_the_internet.json'; -import rule84 from './network_telnet_port_activity.json'; -import rule85 from './network_tor_activity_to_the_internet.json'; -import rule86 from './network_vnc_virtual_network_computing_from_the_internet.json'; -import rule87 from './network_vnc_virtual_network_computing_to_the_internet.json'; -import rule88 from './null_user_agent.json'; -import rule89 from './sqlmap_user_agent.json'; -import rule90 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; -import rule91 from './windows_certutil_connecting_to_the_internet.json'; -import rule92 from './windows_command_prompt_connecting_to_the_internet.json'; -import rule93 from './windows_command_shell_started_by_internet_explorer.json'; -import rule94 from './windows_command_shell_started_by_powershell.json'; -import rule95 from './windows_command_shell_started_by_svchost.json'; -import rule96 from './windows_defense_evasion_via_filter_manager.json'; -import rule97 from './windows_execution_via_compiled_html_file.json'; -import rule98 from './windows_execution_via_connection_manager.json'; -import rule99 from './windows_execution_via_net_com_assemblies.json'; -import rule100 from './windows_execution_via_regsvr32.json'; -import rule101 from './windows_execution_via_trusted_developer_utilities.json'; -import rule102 from './windows_html_help_executable_program_connecting_to_the_internet.json'; -import rule103 from './windows_misc_lolbin_connecting_to_the_internet.json'; -import rule104 from './windows_net_command_activity_by_the_system_account.json'; -import rule105 from './windows_persistence_via_application_shimming.json'; -import rule106 from './windows_priv_escalation_via_accessibility_features.json'; -import rule107 from './windows_process_discovery_via_tasklist_command.json'; -import rule108 from './windows_process_execution_via_wmi.json'; -import rule109 from './windows_register_server_program_connecting_to_the_internet.json'; -import rule110 from './windows_signed_binary_proxy_execution.json'; -import rule111 from './windows_signed_binary_proxy_execution_download.json'; -import rule112 from './windows_suspicious_process_started_by_a_script.json'; -import rule113 from './windows_whoami_command_activity.json'; +import rule63 from './linux_strace_activity.json'; +import rule64 from './linux_tcpdump_activity.json'; +import rule65 from './linux_whoami_commmand.json'; +import rule66 from './network_dns_directly_to_the_internet.json'; +import rule67 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; +import rule68 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; +import rule69 from './network_nat_traversal_port_activity.json'; +import rule70 from './network_port_26_activity.json'; +import rule71 from './network_port_8000_activity_to_the_internet.json'; +import rule72 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; +import rule73 from './network_proxy_port_activity_to_the_internet.json'; +import rule74 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule75 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule76 from './network_rpc_remote_procedure_call_from_the_internet.json'; +import rule77 from './network_rpc_remote_procedure_call_to_the_internet.json'; +import rule78 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule79 from './network_smtp_to_the_internet.json'; +import rule80 from './network_sql_server_port_activity_to_the_internet.json'; +import rule81 from './network_ssh_secure_shell_from_the_internet.json'; +import rule82 from './network_ssh_secure_shell_to_the_internet.json'; +import rule83 from './network_telnet_port_activity.json'; +import rule84 from './network_tor_activity_to_the_internet.json'; +import rule85 from './network_vnc_virtual_network_computing_from_the_internet.json'; +import rule86 from './network_vnc_virtual_network_computing_to_the_internet.json'; +import rule87 from './null_user_agent.json'; +import rule88 from './sqlmap_user_agent.json'; +import rule89 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; +import rule90 from './windows_certutil_connecting_to_the_internet.json'; +import rule91 from './windows_command_prompt_connecting_to_the_internet.json'; +import rule92 from './windows_command_shell_started_by_internet_explorer.json'; +import rule93 from './windows_command_shell_started_by_powershell.json'; +import rule94 from './windows_command_shell_started_by_svchost.json'; +import rule95 from './windows_defense_evasion_via_filter_manager.json'; +import rule96 from './windows_execution_via_compiled_html_file.json'; +import rule97 from './windows_execution_via_connection_manager.json'; +import rule98 from './windows_execution_via_net_com_assemblies.json'; +import rule99 from './windows_execution_via_regsvr32.json'; +import rule100 from './windows_execution_via_trusted_developer_utilities.json'; +import rule101 from './windows_html_help_executable_program_connecting_to_the_internet.json'; +import rule102 from './windows_misc_lolbin_connecting_to_the_internet.json'; +import rule103 from './windows_net_command_activity_by_the_system_account.json'; +import rule104 from './windows_persistence_via_application_shimming.json'; +import rule105 from './windows_priv_escalation_via_accessibility_features.json'; +import rule106 from './windows_process_discovery_via_tasklist_command.json'; +import rule107 from './windows_process_execution_via_wmi.json'; +import rule108 from './windows_register_server_program_connecting_to_the_internet.json'; +import rule109 from './windows_signed_binary_proxy_execution.json'; +import rule110 from './windows_signed_binary_proxy_execution_download.json'; +import rule111 from './windows_suspicious_process_started_by_a_script.json'; +import rule112 from './windows_whoami_command_activity.json'; export const rawRules = [ rule1, rule2, @@ -233,5 +232,4 @@ export const rawRules = [ rule110, rule111, rule112, - rule113, ]; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index c7d856cbe61f3..ac817762fdb71 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -32,7 +32,7 @@ { "id": "T1100", "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1215/" + "reference": "https://attack.mitre.org/techniques/T1100/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json deleted file mode 100644 index 3b61814ab66fd..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "An SSH processes ran with the `-R` flag which can be used to forward a port to a remote destination for purposes of pivoting and persistence. This technique often used to create encrypted tunnels and circumvent firewalls, security groups or network access lists.", - "false_positives": [ - "Some normal use of this command may originate from usage by engineers as an alternative or ad-hoc remote access solution. Use of this command by non-administrative users is uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Potential Lateral Movement via SSH Port Forwarding", - "query": "process.name:ssh and process.args:\"-R\" and event.action:executed", - "references": [ - "https://www.ssh.com/ssh/tunneling", - "https://www.ssh.com/ssh/tunneling/example" - ], - "risk_score": 47, - "rule_id": "45d256ab-e665-445b-8306-2f83a8db59f8", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1184", - "name": "SSH Hijacking", - "reference": "https://attack.mitre.org/techniques/T1184/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index 6f8bc112fd011..f5488ae49d0fb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -1,5 +1,5 @@ { - "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privlieges or move laterally.", + "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.", "false_positives": [ "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." ], diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index 59db16c7b7d3d..352fc5e44dc80 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -49,7 +49,7 @@ }, "technique": [ { - "id": "T1043", + "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index 76528da19a57c..e3853c30e6ad9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -45,7 +45,7 @@ }, "technique": [ { - "id": "T1190", + "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index ca6715ac48785..1570d3d155fea 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -29,7 +29,7 @@ { "id": "T1190", "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1043/" + "reference": "https://attack.mitre.org/techniques/T1190/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index ee47dff73db40..991c626c11d33 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -42,7 +42,7 @@ }, "technique": [ { - "id": "T1043", + "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index 87a3119ac780d..7975c30a4ea38 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -1,7 +1,7 @@ { "description": "A request to a web application server contained no identifying user agent string.", "false_positives": [ - "Some normal applications and scripts may contain no user agent. Most legitmate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." + "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], "filters": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index 72d85dcbffc06..44e112d09a45b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -1,7 +1,7 @@ { "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11 which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities. ", "false_positives": [ - "This signal does not indicate that a SQL injection attack occured, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." + "This signal does not indicate that a SQL injection attack occurred, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." ], "index": [ "apm-*-transaction*"