[Detection Rules] Add 7.11 rules

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json

@@ -0,0 +1,35 @@
+{
+ "author": [
+ "Elastic"
+ ],
+ "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.",
+ "false_positives": [
+ "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+ ],
+ "from": "now-130m",
+ "index": [
+ "filebeat-*"
+ ],
+ "interval": "10m",
+ "language": "kuery",
+ "license": "Elastic License",
+ "name": "Application Added to Google Workspace Domain",
+ "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
+ "query": "event.dataset:gsuite.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
+ "references": [
+ "https://support.google.com/a/answer/6328701?hl=en#"
+ ],
+ "risk_score": 47,
+ "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd",
+ "severity": "medium",
+ "tags": [
+ "Elastic",
+ "Cloud",
+ "Google Workspace",
+ "Continuous Monitoring",
+ "SecOps",
+ "Configuration Audit"
+ ],
+ "type": "query",
+ "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json

@@ -0,0 +1,36 @@
+{
+ "author": [
+ "Elastic"
+ ],
+ "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+ "false_positives": [
+ "Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."
+ ],
+ "index": [
+ "filebeat-*",
+ "logs-okta*"
+ ],
+ "language": "kuery",
+ "license": "Elastic License",
+ "name": "Attempt to Deactivate an Okta Network Zone",
+ "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
+ "query": "event.dataset:okta.system and event.action:zone.deactivate",
+ "references": [
+ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+ "https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/"
+ ],
+ "risk_score": 47,
+ "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1",
+ "severity": "medium",
+ "tags": [
+ "Elastic",
+ "Identity",
+ "Okta",
+ "Continuous Monitoring",
+ "SecOps",
+ "Network Security"
+ ],
+ "type": "query",
+ "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json

@@ -0,0 +1,36 @@
+{
+ "author": [
+ "Elastic"
+ ],
+ "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+ "false_positives": [
+ "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."
+ ],
+ "index": [
+ "filebeat-*",
+ "logs-okta*"
+ ],
+ "language": "kuery",
+ "license": "Elastic License",
+ "name": "Attempt to Delete an Okta Network Zone",
+ "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
+ "query": "event.dataset:okta.system and event.action:zone.delete",
+ "references": [
+ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+ "https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/"
+ ],
+ "risk_score": 47,
+ "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad",
+ "severity": "medium",
+ "tags": [
+ "Elastic",
+ "Identity",
+ "Okta",
+ "Continuous Monitoring",
+ "SecOps",
+ "Network Security"
+ ],
+ "type": "query",
+ "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json

@@ -0,0 +1,58 @@
+{
+ "author": [
+ "Elastic"
+ ],
+ "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. If using Filebeat, this rule requires the Suricata or Zeek modules. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module configuration.",
+ "index": [
+ "filebeat-*",
+ "packetbeat-*"
+ ],
+ "language": "kuery",
+ "license": "Elastic License",
+ "name": "Default Cobalt Strike Team Server Certificate",
+ "note": "While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.",
+ "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)",
+ "references": [
+ "https://attack.mitre.org/software/S0154/",
+ "https://www.cobaltstrike.com/help-setup-collaboration",
+ "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html",
+ "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
+ "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html"
+ ],
+ "risk_score": 100,
+ "rule_id": "e7075e8d-a966-458e-a183-85cd331af255",
+ "severity": "critical",
+ "tags": [
+ "Command and Control",
+ "Post-Execution",
+ "Threat Detection, Prevention and Hunting",
+ "Elastic",
+ "Network"
+ ],
+ "threat": [
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0011",
+ "name": "Command and Control",
+ "reference": "https://attack.mitre.org/tactics/TA0011/"
+ },
+ "technique": [
+ {
+ "id": "T1071",
+ "name": "Application Layer Protocol",
+ "reference": "https://attack.mitre.org/techniques/T1071/",
+ "subtechnique": [
+ {
+ "id": "T1071.001",
+ "name": "Web Protocols",
+ "reference": "https://attack.mitre.org/techniques/T1071/001/"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "type": "query",
+ "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json

@@ -0,0 +1,44 @@
+{
+ "author": [
+ "Elastic"
+ ],
+ "description": "Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.",
+ "from": "now-9m",
+ "index": [
+ "winlogbeat-*",
+ "logs-endpoint.events.*"
+ ],
+ "language": "eql",
+ "license": "Elastic License",
+ "name": "Connection to Commonly Abused Web Services",
+ "query": "network where network.protocol == \"dns\" and\n /* Add new WebSvc domains here */\n wildcard(dns.question.name, \"*.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\"\n ) and\n /* Insert noisy false positives here */\n not process.name in (\"MicrosoftEdgeCP.exe\",\n \"MicrosoftEdge.exe\",\n \"iexplore.exe\",\n \"chrome.exe\",\n \"msedge.exe\",\n \"opera.exe\",\n \"firefox.exe\",\n \"Dropbox.exe\",\n \"slack.exe\",\n \"svchost.exe\",\n \"thunderbird.exe\",\n \"outlook.exe\",\n \"OneDrive.exe\")\n",
+ "risk_score": 21,
+ "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32",
+ "severity": "low",
+ "tags": [
+ "Elastic",
+ "Host",
+ "Windows",
+ "Threat Detection",
+ "Command and Control"
+ ],
+ "threat": [
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0011",
+ "name": "Command and Control",
+ "reference": "https://attack.mitre.org/tactics/TA0011/"
+ },
+ "technique": [
+ {
+ "id": "T1102",
+ "name": "Web Service",
+ "reference": "https://attack.mitre.org/techniques/T1102/"
+ }
+ ]
+ }
+ ],
+ "type": "eql",
+ "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json

@@ -13,7 +13,7 @@
  "language": "kuery",
  "license": "Elastic License",
  "name": "DNS Activity to the Internet",
- "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
+ "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or 255.255.255.255 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")",
  "references": [
  "https://www.us-cert.gov/ncas/alerts/TA15-240A",
  "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf"
@@ -45,5 +45,5 @@
  }
  ],
  "type": "query",
- "version": 5
+ "version": 6
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json

@@ -0,0 +1,51 @@
+{
+ "author": [
+ "Elastic"
+ ],
+ "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.",
+ "from": "now-9m",
+ "index": [
+ "winlogbeat-*",
+ "logs-endpoint.events.*"
+ ],
+ "language": "kuery",
+ "license": "Elastic License",
+ "name": "Potential DNS Tunneling via NsLookup",
+ "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)",
+ "references": [
+ "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"
+ ],
+ "risk_score": 47,
+ "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20",
+ "severity": "medium",
+ "tags": [
+ "Elastic",
+ "Host",
+ "Windows",
+ "Threat Detection",
+ "Command and Control"
+ ],
+ "threat": [
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0011",
+ "name": "Command and Control",
+ "reference": "https://attack.mitre.org/tactics/TA0011/"
+ },
+ "technique": [
+ {
+ "id": "T1071",
+ "name": "Application Layer Protocol",
+ "reference": "https://attack.mitre.org/techniques/T1071/"
+ }
+ ]
+ }
+ ],
+ "threshold": {
+ "field": "host.id",
+ "value": 15
+ },
+ "type": "threshold",
+ "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json

@@ -0,0 +1,44 @@
+{
+ "author": [
+ "Elastic"
+ ],
+ "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.",
+ "from": "now-9m",
+ "index": [
+ "winlogbeat-*",
+ "logs-endpoint.events.*"
+ ],
+ "language": "eql",
+ "license": "Elastic License",
+ "name": "Connection to Commonly Abused Free SSL Certificate Providers",
+ "query": "network where network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n \n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n \n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n",
+ "risk_score": 21,
+ "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d",
+ "severity": "low",
+ "tags": [
+ "Elastic",
+ "Host",
+ "Windows",
+ "Threat Detection",
+ "Command and Control"
+ ],
+ "threat": [
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0011",
+ "name": "Command and Control",
+ "reference": "https://attack.mitre.org/tactics/TA0011/"
+ },
+ "technique": [
+ {
+ "id": "T1573",
+ "name": "Encrypted Channel",
+ "reference": "https://attack.mitre.org/techniques/T1573/"
+ }
+ ]
+ }
+ ],
+ "type": "eql",
+ "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json

@@ -14,7 +14,7 @@
  "language": "kuery",
  "license": "Elastic License",
  "name": "FTP (File Transfer Protocol) Activity to the Internet",
- "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+ "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
  "risk_score": 21,
  "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43",
  "severity": "low",
@@ -58,5 +58,5 @@
  }
  ],
  "type": "query",
- "version": 5
+ "version": 6
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json

@@ -0,0 +1,44 @@
+{
+ "author": [
+ "Elastic"
+ ],
+ "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.",
+ "from": "now-9m",
+ "index": [
+ "winlogbeat-*",
+ "logs-endpoint.events.*"
+ ],
+ "language": "eql",
+ "license": "Elastic License",
+ "name": "Potential Command and Control via Internet Explorer",
+ "query": "sequence by host.id, process.entity_id with maxspan = 1s\n [process where event.type:\"start\" and process.parent.name:\"iexplore.exe\" and process.parent.args:\"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where network.protocol : \"dns\" and process.name:\"iexplore.exe\" and\n not wildcard(dns.question.name, \"*.microsoft.com\", \n \"*.digicert.com\", \n \"*.msocsp.com\", \n \"*.windowsupdate.com\", \n \"*.bing.com\",\n \"*.identrust.com\")\n ]\n",
+ "risk_score": 43,
+ "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d",
+ "severity": "medium",
+ "tags": [
+ "Elastic",
+ "Host",
+ "Windows",
+ "Threat Detection",
+ "Command and Control"
+ ],
+ "threat": [
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0011",
+ "name": "Command and Control",
+ "reference": "https://attack.mitre.org/tactics/TA0011/"
+ },
+ "technique": [
+ {
+ "id": "T1071",
+ "name": "Application Layer Protocol",
+ "reference": "https://attack.mitre.org/techniques/T1071/"
+ }
+ ]
+ }
+ ],
+ "type": "eql",
+ "version": 1
+}