Add docs for integration 0.14.2 rules package (#1161) (#1162)

* Add docs for integration 0.14.2 rules package

* update summary for release

(cherry picked from commit db3b87d)

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

docs/detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rule-0-14-2-abnormally-large-dns-response.asciidoc

@@ -0,0 +1,107 @@
+[[prebuilt-rule-0-14-2-abnormally-large-dns-response]]
+=== Abnormally Large DNS Response
+
+Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* packetbeat-*
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5m
+
+*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
+* https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
+* https://github.com/maxpl0it/CVE-2020-1350-DoS
+
+*Tags*: 
+
+* Elastic
+* Network
+* Threat Detection
+* Lateral Movement
+
+*Version*: 5
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown]
+----------------------------------
+## Triage and analysis
+
+### Investigating Large DNS Responses
+Detection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS
+server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350)
+also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.
+
+#### Possible investigation steps:
+- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate
+the source of the incoming traffic and determine if this activity has been observed previously within an environment.
+- Activity can be further investigated and validated by reviewing available corresponding Intrusion Detection Signatures (IDS) alerts associated with activity.
+- Further examination can be made by reviewing the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
+- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.
+- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.
+
+#### False Positive Analysis
+- Based on this rule which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes
+and related to legitimate behavior.  In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses
+were all observed as greater than 65k bytes.
+- This activity has the ability to be triggered from compliance/vulnerability scanning or compromise assessment, it's
+important to determine the source of the activity and potential whitelist the source host
+
+
+### Related Rules
+- Unusual Child Process of dns.exe
+- Unusual File Modification by dns.exe
+
+### Response and Remediation
+- Review and implement the above detection logic within your environment using technology such as Endpoint security, Winlogbeat, Packetbeat, or network security monitoring (NSM) platforms such as Zeek or Suricata.
+- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restart the
+patched machines. If unable to patch immediately: Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn’t require a
+restart. This can be used as a temporary solution before the patch is applied.
+- Maintain backups of your critical systems to aid in quick recovery.
+- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.
+- If observed true positive activity, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.
+
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.category:(network or network_traffic) and destination.port:53 and
+  (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Lateral Movement
+** ID: TA0008
+** Reference URL: https://attack.mitre.org/tactics/TA0008/
+* Technique:
+** Name: Exploitation of Remote Services
+** ID: T1210
+** Reference URL: https://attack.mitre.org/techniques/T1210/

docs/detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rule-0-14-2-adfind-command-activity.asciidoc

@@ -0,0 +1,139 @@
+[[prebuilt-rule-0-14-2-adfind-command-activity]]
+=== AdFind Command Activity
+
+This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.
+
+*Rule type*: eql
+
+*Rule indices*: 
+
+* logs-endpoint.events.*
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5m
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* http://www.joeware.net/freetools/tools/adfind/
+* https://thedfirreport.com/2020/05/08/adfind-recon/
+* https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+* https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
+* https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+* https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf
+
+*Tags*: 
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Discovery
+
+*Version*: 5
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown]
+----------------------------------
+## Triage and analysis
+
+### Investigating AdFind Command Activity
+
+[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from
+Activity Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways
+they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and
+understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/)
+observed where this tool has been adopted by ransomware and criminal groups and used in compromises.
+
+#### Possible investigation steps:
+- `AdFind` is a legitimate Active Directory enumeration tool used by network administrators, it's important to understand
+the source of the activity.  This could involve identifying the account using `AdFind` and determining based on the command-lines
+what information was retrieved, then further determining if these actions are in scope of that user's traditional responsibilities.
+- In multiple public references, `AdFind` is leveraged after initial access is achieved, review previous activity on impacted
+machine looking for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic
+to suspicious infrastructure
+
+### False Positive Analysis
+- This rule has the high chance to produce false positives as it is a legitimate tool used by network administrators. One
+option could be whitelisting specific users or groups who use the tool as part of their daily responsibilities. This can
+be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment
+- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in
+isolation, so reviewing previous logs/activity from impacted machines could be very telling.
+
+### Related Rules
+- Windows Network Enumeration
+- Enumeration of Administrator Accounts
+- Enumeration Command Spawned via WMIPrvSE
+
+### Response and Remediation
+- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+post-compromise behavior
+- It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate
+purposes, so understanding the intent behind the activity will help determine the appropropriate response.
+
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+process where event.type in ("start", "process_started") and 
+  (process.name : "AdFind.exe" or process.pe.original_file_name == "AdFind.exe") and 
+  process.args : ("objectcategory=computer", "(objectcategory=computer)", 
+                  "objectcategory=person", "(objectcategory=person)",
+                  "objectcategory=subnet", "(objectcategory=subnet)",
+                  "objectcategory=group", "(objectcategory=group)", 
+                  "objectcategory=organizationalunit", "(objectcategory=organizationalunit)",
+                  "objectcategory=attributeschema", "(objectcategory=attributeschema)",
+                  "domainlist", "dcmodes", "adinfo", "dclist", "computers_pwnotreqd", "trustdmp")
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: Permission Groups Discovery
+** ID: T1069
+** Reference URL: https://attack.mitre.org/techniques/T1069/
+* Sub-technique:
+** Name: Domain Groups
+** ID: T1069.002
+** Reference URL: https://attack.mitre.org/techniques/T1069/002/
+* Technique:
+** Name: Account Discovery
+** ID: T1087
+** Reference URL: https://attack.mitre.org/techniques/T1087/
+* Sub-technique:
+** Name: Domain Account
+** ID: T1087.002
+** Reference URL: https://attack.mitre.org/techniques/T1087/002/
+* Technique:
+** Name: Domain Trust Discovery
+** ID: T1482
+** Reference URL: https://attack.mitre.org/techniques/T1482/
+* Technique:
+** Name: Remote System Discovery
+** ID: T1018
+** Reference URL: https://attack.mitre.org/techniques/T1018/

docs/detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rule-0-14-2-aws-elasticache-security-group-created.asciidoc

@@ -0,0 +1,78 @@
+[[prebuilt-rule-0-14-2-aws-elasticache-security-group-created]]
+=== AWS ElastiCache Security Group Created
+
+Identifies when an ElastiCache security group has been created.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-aws*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 10m
+
+*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html
+
+*Tags*: 
+
+* Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
+* SecOps
+* Monitoring
+
+*Version*: 1
+
+*Rule authors*: 
+
+* Austin Songer
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown]
+----------------------------------
+## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and 
+event.outcome:success
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
+* Sub-technique:
+** Name: Disable or Modify Cloud Firewall
+** ID: T1562.007
+** Reference URL: https://attack.mitre.org/techniques/T1562/007/