[Detection Rules] Add 7.11 rules #85506
Conversation
brokensound77
added
release_note:skip
brokensound77
added
v7.11.0
Team: SecuritySolution
...lution/server/lib/detection_engine/rules/prepackaged_rules/discovery_file_dir_discovery.json
Show resolved
Hide resolved
.../detection_engine/rules/prepackaged_rules/persistence_suspicious_scheduled_task_runtime.json
Show resolved
Hide resolved
...r/lib/detection_engine/rules/prepackaged_rules/persistence_via_hidden_run_key_valuename.json
Show resolved
Hide resolved
.../server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_scripts.json
Show resolved
Hide resolved
| "name": "Enumeration of Administrator Accounts", | ||
| "query": "process where event.type in (\"start\", \"process_started\") and\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n", |
There was a problem hiding this comment.
No comments here, this one should work right?
There was a problem hiding this comment.
Broke it out to make precedence more readable
process where event.type in ("start", "process_started") and
(
(
(process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
(
(process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
not process.parent.name : "net.exe"
)
) and
process.args : ("group", "user", "localgroup") and
process.args : ("admin", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management") and
not process.args : "/add"
)
or
(
(process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and
process.args : ("group", "useraccount")
)Query looks good to me. Based on the location of the error, looks like it could also be an issue with case insensitive compare of multiple args, though I got the same error as above in siem-dev via EQL API search. Thoughts @rw-access
There was a problem hiding this comment.
There was a problem hiding this comment.
Checked out, tested upgrade locally and all rules installed without issue! 🎉 Had to fetch the latest to avoid an SO migration error since #82969 got merged in-between the last build, but no other issues observed on upgrade.
There were some rule run failures which I commented on (and I'm sure you're tracking :), but just wanted to note as everything else looks 👍 for approval and we can tweak those in follow-ups like last time.
Great stuff here -- thanks for all your hard work @elastic/protections!!! To 451 and beyond!! 🚀 😀
| "subtechnique": [ | ||
| { | ||
| "id": "T1087.002", | ||
| "name": "Domain Account", | ||
| "reference": "https://attack.mitre.org/techniques/T1087/002/" | ||
| } | ||
| ] |
There was a problem hiding this comment.
Look at those sub-techniques! 🙌 @dplumlee 🙌
|
Thanks for testing these @spong! I created a few issues to track your findings and as @rw-access mentioned, we will need to see why the ES is having issues with the EQL searches. I am going to merge this before too much changes in Kibana. We will be making a few more PRs for rule changes over the next few weeks, and we can include revisions from this as needed 👍 |
Summary
Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.11
Checklist