From d07ae02c3b91292224b454a892a3eeb14a1e0e32 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Tue, 14 Dec 2021 06:43:00 -0900 Subject: [PATCH] Add rules for integration-v0.14.3 (#1331) * Add rules for integration-v0.14.3 * add summary note * fix link * fix file name * remove duplicated links caused by a deprecation/rename * update date and summary description --- ...3-account-password-reset-remotely.asciidoc | 70 +++++++ ...-efs-file-system-or-mount-deleted.asciidoc | 75 ++++++++ ...ntbridge-rule-disabled-or-deleted.asciidoc | 71 +++++++ ...le-0-14-3-aws-rds-snapshot-export.asciidoc | 69 +++++++ ...-0-14-3-aws-rds-snapshot-restored.asciidoc | 71 +++++++ ...le-0-14-3-aws-route-table-created.asciidoc | 73 ++++++++ ...hosted-zone-associated-with-a-vpc.asciidoc | 74 ++++++++ ...ilt-rule-0-14-3-aws-saml-activity.asciidoc | 87 +++++++++ ...oken-service-sts-assumerole-usage.asciidoc | 86 +++++++++ ...-high-risk-user-sign-in-heuristic.asciidoc | 76 ++++++++ ...ure-blob-permissions-modification.asciidoc | 76 ++++++++ ...l-network-packet-capture-detected.asciidoc | 79 ++++++++ ...3-azure-kubernetes-events-deleted.asciidoc | 78 ++++++++ ...4-3-azure-kubernetes-pods-deleted.asciidoc | 70 +++++++ ...e-kubernetes-rolebindings-created.asciidoc | 73 ++++++++ ...etwork-device-modified-or-deleted.asciidoc | 75 ++++++++ ...-clearing-windows-console-history.asciidoc | 73 ++++++++ ...-14-3-clearing-windows-event-logs.asciidoc | 68 +++++++ ...-component-object-model-hijacking.asciidoc | 81 ++++++++ ...el-process-with-unusual-arguments.asciidoc | 82 +++++++++ ...-security-settings-via-powershell.asciidoc | 69 +++++++ ...s-over-https-enabled-via-registry.asciidoc | 70 +++++++ ...rivileged-local-groups-membership.asciidoc | 98 ++++++++++ ...g-exchange-mailbox-via-powershell.asciidoc | 73 ++++++++ ...s-rolebindings-created-or-patched.asciidoc | 74 ++++++++ ...tual-private-cloud-route-creation.asciidoc | 63 +++++++ ...t-rule-0-14-3-hosts-file-modified.asciidoc | 95 ++++++++++ ...g-dcom-lateral-movement-via-mshta.asciidoc | 86 +++++++++ ...ng-dcom-lateral-movement-with-mmc.asciidoc | 73 ++++++++ ...hellbrowserwindow-or-shellwindows.asciidoc | 74 ++++++++ ...execution-via-powershell-remoting.asciidoc | 67 +++++++ ...-execution-via-winrm-remote-shell.asciidoc | 65 +++++++ ...rocess-making-network-connections.asciidoc | 69 +++++++ ...eros-traffic-from-unusual-process.asciidoc | 65 +++++++ ...rule-0-14-3-lateral-tool-transfer.asciidoc | 67 +++++++ ...4-3-local-scheduled-task-creation.asciidoc | 77 ++++++++ ...365-potential-ransomware-activity.asciidoc | 75 ++++++++ ...ngine-started-by-a-script-process.asciidoc | 71 +++++++ ...ker-spawning-suspicious-processes.asciidoc | 68 +++++++ ...14-3-network-connection-via-mshta.asciidoc | 71 +++++++ ...work-connection-via-signed-binary.asciidoc | 77 ++++++++ ...oweddeviceid-added-via-powershell.asciidoc | 69 +++++++ ...uled-task-activity-via-powershell.asciidoc | 69 +++++++ ...cess-via-duplicatehandle-in-lsass.asciidoc | 72 ++++++++ ...tial-access-via-lsass-memory-dump.asciidoc | 73 ++++++++ ...cess-via-renamed-com-services-dll.asciidoc | 83 +++++++++ ...e-creation-via-psscapturesnapshot.asciidoc | 79 ++++++++ ...emory-dump-via-psscapturesnapshot.asciidoc | 81 ++++++++ ...-process-injection-via-powershell.asciidoc | 78 ++++++++ ...-14-3-potential-sharprdp-behavior.asciidoc | 84 +++++++++ ...indows-error-manager-masquerading.asciidoc | 69 +++++++ ...14-3-powershell-keylogging-script.asciidoc | 83 +++++++++ ...0-14-3-powershell-minidump-script.asciidoc | 79 ++++++++ ...ery-related-windows-api-functions.asciidoc | 99 ++++++++++ ...t-with-audio-capture-capabilities.asciidoc | 77 ++++++++ ...ia-rogue-named-pipe-impersonation.asciidoc | 78 ++++++++ ...s-activity-via-compiled-html-file.asciidoc | 79 ++++++++ ...nsomware-detected-elastic-endgame.asciidoc | 45 +++++ ...somware-prevented-elastic-endgame.asciidoc | 45 +++++ ...mote-file-download-via-powershell.asciidoc | 78 ++++++++ ...e-download-via-script-interpreter.asciidoc | 65 +++++++ ...-3-remote-scheduled-task-creation.asciidoc | 122 ++++++++++++ ...remotely-started-services-via-rpc.asciidoc | 73 ++++++++ ...file-downloaded-from-the-internet.asciidoc | 110 +++++++++++ ...-task-created-by-a-windows-script.asciidoc | 77 ++++++++ ...14-3-suspicious-certutil-commands.asciidoc | 69 +++++++ ...4-3-suspicious-java-child-process.asciidoc | 71 +++++++ ...ous-net-reflection-via-powershell.asciidoc | 86 +++++++++ ...able-encoded-in-powershell-script.asciidoc | 67 +++++++ ...ess-access-via-direct-system-call.asciidoc | 67 +++++++ ...icious-process-creation-calltrace.asciidoc | 69 +++++++ ...4-3-suspicious-zoom-child-process.asciidoc | 66 +++++++ ...0-14-3-system-shells-via-services.asciidoc | 70 +++++++ ...es-deleted-via-unexpected-process.asciidoc | 75 ++++++++ ...ebeat-module-v7-x-indicator-match.asciidoc | 106 +++++++++++ ...adow-copy-deletion-via-powershell.asciidoc | 70 +++++++ ...ess-child-of-common-web-processes.asciidoc | 87 +++++++++ ...e-padding-in-process-command-line.asciidoc | 72 ++++++++ ...r-exclusions-added-via-powershell.asciidoc | 127 +++++++++++++ ...-firewall-disabled-via-powershell.asciidoc | 74 ++++++++ ...4-3-wmi-incoming-lateral-movement.asciidoc | 82 +++++++++ .../prebuilt-rules-0-14-3-appendix.asciidoc | 87 +++++++++ .../prebuilt-rules-0-14-3-summary.asciidoc | 174 ++++++++++++++++++ ...ebuilt-rules-downloadable-updates.asciidoc | 7 +- docs/index.asciidoc | 2 + 85 files changed, 6448 insertions(+), 1 deletion(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-account-password-reset-remotely.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-efs-file-system-or-mount-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-eventbridge-rule-disabled-or-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-rds-snapshot-export.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-rds-snapshot-restored.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-route-table-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-saml-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-security-token-service-sts-assumerole-usage.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-blob-permissions-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-full-network-packet-capture-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-events-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-pods-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-rolebindings-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-virtual-network-device-modified-or-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-clearing-windows-console-history.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-clearing-windows-event-logs.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-component-object-model-hijacking.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-control-panel-process-with-unusual-arguments.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-disabling-windows-defender-security-settings-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-dns-over-https-enabled-via-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-enumeration-of-privileged-local-groups-membership.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-exporting-exchange-mailbox-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-gcp-kubernetes-rolebindings-created-or-patched.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-gcp-virtual-private-cloud-route-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-hosts-file-modified.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-via-mshta.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-mmc.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-execution-via-powershell-remoting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-execution-via-winrm-remote-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-installutil-process-making-network-connections.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-kerberos-traffic-from-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-lateral-tool-transfer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-local-scheduled-task-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-365-potential-ransomware-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-build-engine-started-by-a-script-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-network-connection-via-mshta.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-network-connection-via-signed-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-new-activesyncalloweddeviceid-added-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-outbound-scheduled-task-activity-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-lsass-memory-dump.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-renamed-com-services-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-process-injection-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-sharprdp-behavior.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-windows-error-manager-masquerading.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-keylogging-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-minidump-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-suspicious-discovery-related-windows-api-functions.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-process-activity-via-compiled-html-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-ransomware-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-ransomware-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-file-download-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-file-download-via-script-interpreter.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-scheduled-task-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remotely-started-services-via-rpc.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-scheduled-task-created-by-a-windows-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-certutil-commands.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-java-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-net-reflection-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-portable-executable-encoded-in-powershell-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-process-access-via-direct-system-call.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-process-creation-calltrace.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-zoom-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-system-shells-via-services.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-third-party-backup-files-deleted-via-unexpected-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-threat-intel-filebeat-module-v7-x-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-volume-shadow-copy-deletion-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-webshell-detection-script-process-child-of-common-web-processes.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-whitespace-padding-in-process-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-windows-defender-exclusions-added-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-windows-firewall-disabled-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-wmi-incoming-lateral-movement.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rules-0-14-3-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rules-0-14-3-summary.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-account-password-reset-remotely.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-account-password-reset-remotely.asciidoc new file mode 100644 index 0000000000..99eaec9cd9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-account-password-reset-remotely.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-0-14-3-account-password-reset-remotely]] +=== Account Password Reset Remotely + +Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724 +* https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5m + [authentication where event.action == "logged-in" and + /* event 4624 need to be logged */ + winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and + not source.ip in ("127.0.0.1", "::1")] by winlog.event_data.TargetLogonId + /* event 4724 need to be logged */ + [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-efs-file-system-or-mount-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-efs-file-system-or-mount-deleted.asciidoc new file mode 100644 index 0000000000..e96cdff491 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-efs-file-system-or-mount-deleted.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-0-14-3-aws-efs-file-system-or-mount-deleted]] +=== AWS EFS File System or Mount Deleted + +Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html +* https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Data Protection + +*Version*: 1 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and +event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-eventbridge-rule-disabled-or-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-eventbridge-rule-disabled-or-deleted.asciidoc new file mode 100644 index 0000000000..63f4e8f40a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-eventbridge-rule-disabled-or-deleted.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-3-aws-eventbridge-rule-disabled-or-deleted]] +=== AWS EventBridge Rule Disabled or Deleted + +Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html +* https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 2 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-rds-snapshot-export.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-rds-snapshot-export.asciidoc new file mode 100644 index 0000000000..6808861ac7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-rds-snapshot-export.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-3-aws-rds-snapshot-export]] +=== AWS RDS Snapshot Export + +Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-rds-snapshot-restored.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-rds-snapshot-restored.asciidoc new file mode 100644 index 0000000000..3501b482e2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-rds-snapshot-restored.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-3-aws-rds-snapshot-restored]] +=== AWS RDS Snapshot Restored + +Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html +* https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 2 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-route-table-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-route-table-created.asciidoc new file mode 100644 index 0000000000..673c9d3794 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-route-table-created.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-0-14-3-aws-route-table-created]] +=== AWS Route Table Created + +Identifies when an AWS Route Table has been created. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified/ +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 1 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc new file mode 100644 index 0000000000..cf7ac2abd4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-0-14-3-aws-route53-private-hosted-zone-associated-with-a-vpc]] +=== AWS Route53 private hosted zone associated with a VPC + +Identifies when a Route53 private hosted zone has been associated with VPC. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 1 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-saml-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-saml-activity.asciidoc new file mode 100644 index 0000000000..9d8bd130bc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-saml-activity.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-0-14-3-aws-saml-activity]] +=== AWS SAML Activity + +Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html +* https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 1 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or +UpdateSAMLProvider) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Application Access Token +** ID: T1550.001 +** Reference URL: https://attack.mitre.org/techniques/T1550/001/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-security-token-service-sts-assumerole-usage.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-security-token-service-sts-assumerole-usage.asciidoc new file mode 100644 index 0000000000..b22750b181 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-security-token-service-sts-assumerole-usage.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-0-14-3-aws-security-token-service-sts-assumerole-usage]] +=== AWS Security Token Service (STS) AssumeRole Usage + +Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 1 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and +aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Application Access Token +** ID: T1550.001 +** Reference URL: https://attack.mitre.org/techniques/T1550/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc new file mode 100644 index 0000000000..3e1b33f024 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-0-14-3-azure-active-directory-high-risk-user-sign-in-heuristic]] +=== Azure Active Directory High Risk User Sign-in Heuristic + +Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema +* https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection +* https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 1 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.signinlogs and + azure.signinlogs.properties.risk_state:("confirmedCompromised" or "atRisk") and event.outcome:(success or Success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-blob-permissions-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-blob-permissions-modification.asciidoc new file mode 100644 index 0000000000..4b3a1bffa1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-blob-permissions-modification.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-0-14-3-azure-blob-permissions-modification]] +=== Azure Blob Permissions Modification + +Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 1 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( + "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION" or + "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION") and + event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-full-network-packet-capture-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-full-network-packet-capture-detected.asciidoc new file mode 100644 index 0000000000..a790e6ae1d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-full-network-packet-capture-detected.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-0-14-3-azure-full-network-packet-capture-detected]] +=== Azure Full Network Packet Capture Detected + +Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 1 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name: + ( + "MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION" or + "MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION" or + "MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE" + ) and +event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Network Sniffing +** ID: T1040 +** Reference URL: https://attack.mitre.org/techniques/T1040/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-events-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-events-deleted.asciidoc new file mode 100644 index 0000000000..a59fc60cac --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-events-deleted.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-0-14-3-azure-kubernetes-events-deleted]] +=== Azure Kubernetes Events Deleted + +Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 2 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and +event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-pods-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-pods-deleted.asciidoc new file mode 100644 index 0000000000..957242fd92 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-pods-deleted.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-0-14-3-azure-kubernetes-pods-deleted]] +=== Azure Kubernetes Pods Deleted + +Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 2 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and +event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-rolebindings-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-rolebindings-created.asciidoc new file mode 100644 index 0000000000..7b2411654f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-kubernetes-rolebindings-created.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-0-14-3-azure-kubernetes-rolebindings-created]] +=== Azure Kubernetes Rolebindings Created + +Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +* https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 1 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name: + ("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or + "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and +event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-virtual-network-device-modified-or-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-virtual-network-device-modified-or-deleted.asciidoc new file mode 100644 index 0000000000..b5affea481 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-azure-virtual-network-device-modified-or-deleted.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-0-14-3-azure-virtual-network-device-modified-or-deleted]] +=== Azure Virtual Network Device Modified or Deleted + +Identifies when a virtual network device is being modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 1 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or +"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE" or "MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE" or +"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION" or "MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE"or +"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE" or "MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE" or +"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE" or "MICROSOFT.NETWORK/VIRTUALHUBS/WRITE" or +"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE" or "MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE") and +event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-clearing-windows-console-history.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-clearing-windows-console-history.asciidoc new file mode 100644 index 0000000000..bbab06ce88 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-clearing-windows-console-history.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-0-14-3-clearing-windows-console-history]] +=== Clearing Windows Console History + +Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/ +* https://www.shellhacks.com/clear-history-powershell/ +* https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and + (process.args : "*Clear-History*" or + (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or + (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Command History +** ID: T1070.003 +** Reference URL: https://attack.mitre.org/techniques/T1070/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-clearing-windows-event-logs.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-clearing-windows-event-logs.asciidoc new file mode 100644 index 0000000000..1158faa0c2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-clearing-windows-event-logs.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-0-14-3-clearing-windows-event-logs]] +=== Clearing Windows Event Logs + +Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("process_started", "start") and + (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and + process.args : ("/e:false", "cl", "clear-log") or + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Clear-EventLog" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Windows Event Logs +** ID: T1070.001 +** Reference URL: https://attack.mitre.org/techniques/T1070/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-component-object-model-hijacking.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-component-object-model-hijacking.asciidoc new file mode 100644 index 0000000000..738a09f34a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-component-object-model-hijacking.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-0-14-3-component-object-model-hijacking]] +=== Component Object Model Hijacking + +Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where + /* uncomment once length is stable length(bytes_written_string) > 0 and */ + (registry.path : "HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and + not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") + or + /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ + (registry.path : ("HKEY_USERS\\*Classes\\*\\InprocServer32\\", + "HKEY_USERS\\*Classes\\*\\LocalServer32\\", + "HKEY_USERS\\*Classes\\*\\DelegateExecute\\", + "HKEY_USERS\\*Classes\\*\\TreatAs\\", + "HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and + not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and + registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\") and + /* not necessary but good for filtering privileged installations */ + user.domain != "NT AUTHORITY") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-control-panel-process-with-unusual-arguments.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-control-panel-process-with-unusual-arguments.asciidoc new file mode 100644 index 0000000000..13dec5d68d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-control-panel-process-with-unusual-arguments.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-0-14-3-control-panel-process-with-unusual-arguments]] +=== Control Panel Process with Unusual Arguments + +Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.joesandbox.com/analysis/476188/1/html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.executable : ("?:\\Windows\\SysWOW64\\control.exe", "?:\\Windows\\System32\\control.exe") and + process.command_line : + ("*.jpg*", + "*.png*", + "*.gif*", + "*.bmp*", + "*.jpeg*", + "*.TIFF*", + "*.inf*", + "*.dat*", + "*.cpl:*/*", + "*../../..*", + "*/AppData/Local/*", + "*:\\Users\\Public\\*", + "*\\AppData\\Local\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Signed Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Control Panel +** ID: T1218.002 +** Reference URL: https://attack.mitre.org/techniques/T1218/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-disabling-windows-defender-security-settings-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-disabling-windows-defender-security-settings-via-powershell.asciidoc new file mode 100644 index 0000000000..7c30a5c48a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-disabling-windows-defender-security-settings-via-powershell.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-3-disabling-windows-defender-security-settings-via-powershell]] +=== Disabling Windows Defender Security Settings via PowerShell + +Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and + process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-dns-over-https-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-dns-over-https-enabled-via-registry.asciidoc new file mode 100644 index 0000000000..6cbe7dae08 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-dns-over-https-enabled-via-registry.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-0-14-3-dns-over-https-enabled-via-registry]] +=== DNS-over-HTTPS Enabled via Registry + +Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html +* https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 2 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type in ("creation", "change") and + (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and + registry.data.strings : "1") or + (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and + registry.data.strings : "secure") or + (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and + registry.data.strings : "1") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-enumeration-of-privileged-local-groups-membership.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-enumeration-of-privileged-local-groups-membership.asciidoc new file mode 100644 index 0000000000..61fab9bba1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-enumeration-of-privileged-local-groups-membership.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-0-14-3-enumeration-of-privileged-local-groups-membership]] +=== Enumeration of Privileged Local Groups Membership + +Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 43 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +This will require Windows security event 4799 by enabling audit success for the windows Account Management category and +the Security Group Management subcategory. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +iam where event.action == "user-member-enumerated" and + + /* noisy and usual legit processes excluded */ + not winlog.event_data.CallerProcessName: + ("?:\\Windows\\System32\\VSSVC.exe", + "?:\\Windows\\System32\\SearchIndexer.exe", + "?:\\Windows\\System32\\CompatTelRunner.exe", + "?:\\Windows\\System32\\oobe\\msoobe.exe", + "?:\\Windows\\System32\\net1.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\Netplwiz.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\CloudExperienceHostBroker.exe", + "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "?:\\Windows\\System32\\SrTasks.exe", + "?:\\Windows\\System32\\lsass.exe", + "?:\\Windows\\System32\\diskshadow.exe", + "?:\\Windows\\System32\\dfsrs.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe") and + /* privileged local groups */ + (group.name:("admin*","RemoteDesktopUsers") or + winlog.event_data.TargetSid:("S-1-5-32-544","S-1-5-32-555")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-exporting-exchange-mailbox-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-exporting-exchange-mailbox-via-powershell.asciidoc new file mode 100644 index 0000000000..dd5220725c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-exporting-exchange-mailbox-via-powershell.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-0-14-3-exporting-exchange-mailbox-via-powershell]] +=== Exporting Exchange Mailbox via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Collection + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "New-MailboxExportRequest*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Sub-technique: +** Name: Remote Email Collection +** ID: T1114.002 +** Reference URL: https://attack.mitre.org/techniques/T1114/002/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-gcp-kubernetes-rolebindings-created-or-patched.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-gcp-kubernetes-rolebindings-created-or-patched.asciidoc new file mode 100644 index 0000000000..fcee1083af --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-gcp-kubernetes-rolebindings-created-or-patched.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-0-14-3-gcp-kubernetes-rolebindings-created-or-patched]] +=== GCP Kubernetes Rolebindings Created or Patched + +Identifies the creation or patching of potential malicious rolebinding. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging +* https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/ +* https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 1 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or +io.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or +io.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-gcp-virtual-private-cloud-route-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-gcp-virtual-private-cloud-route-creation.asciidoc new file mode 100644 index 0000000000..8d653abc45 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-gcp-virtual-private-cloud-route-creation.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-0-14-3-gcp-virtual-private-cloud-route-creation]] +=== GCP Virtual Private Cloud Route Creation + +Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/vpc/docs/routes +* https://cloud.google.com/vpc/docs/using-routes + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-hosts-file-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-hosts-file-modified.asciidoc new file mode 100644 index 0000000000..2171605303 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-hosts-file-modified.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-0-14-3-hosts-file-modified]] +=== Hosts File Modified + +The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html + +*Tags*: + +* Elastic +* Host +* Linux +* Windows +* macOS +* Threat Detection +* Impact + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where + + /* file events for creation; file change events are not captured by some of the included sources for linux and so may + miss this, which is the purpose of the process + command line args logic below */ + ( + event.category == "file" and event.type in ("change", "creation") and + file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") + ) + or + + /* process events for change targeting linux only */ + ( + event.category == "process" and event.type in ("start") and + process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and + process.args : ("/etc/hosts") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Manipulation +** ID: T1565 +** Reference URL: https://attack.mitre.org/techniques/T1565/ +* Sub-technique: +** Name: Stored Data Manipulation +** ID: T1565.001 +** Reference URL: https://attack.mitre.org/techniques/T1565/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-via-mshta.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-via-mshta.asciidoc new file mode 100644 index 0000000000..26b05c53a4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-via-mshta.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-via-mshta]] +=== Incoming DCOM Lateral Movement via MSHTA + +Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://codewhitesec.blogspot.com/2018/07/lethalhta.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [process where event.type in ("start", "process_started") and + process.name : "mshta.exe" and process.args : "-Embedding" + ] by host.id, process.entity_id + [network where event.type == "start" and process.name : "mshta.exe" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.port > 49151 and destination.port > 49151 and not source.address in ("127.0.0.1", "::1") + ] by host.id, process.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Distributed Component Object Model +** ID: T1021.003 +** Reference URL: https://attack.mitre.org/techniques/T1021/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Signed Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-mmc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-mmc.asciidoc new file mode 100644 index 0000000000..2595410e2b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-mmc.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-mmc]] +=== Incoming DCOM Lateral Movement with MMC + +Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [network where event.type == "start" and process.name : "mmc.exe" and + source.port >= 49152 and destination.port >= 49152 and source.address not in ("127.0.0.1", "::1") and + network.direction : ("incoming", "ingress") and network.transport == "tcp" + ] by process.entity_id + [process where event.type in ("start", "process_started") and process.parent.name : "mmc.exe" + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Distributed Component Object Model +** ID: T1021.003 +** Reference URL: https://attack.mitre.org/techniques/T1021/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.asciidoc new file mode 100644 index 0000000000..14813b9aef --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows]] +=== Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows + +Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [network where event.type == "start" and process.name : "explorer.exe" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.port > 49151 and destination.port > 49151 and not source.address in ("127.0.0.1", "::1") + ] by process.entity_id + [process where event.type in ("start", "process_started") and + process.parent.name : "explorer.exe" + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Distributed Component Object Model +** ID: T1021.003 +** Reference URL: https://attack.mitre.org/techniques/T1021/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-execution-via-powershell-remoting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-execution-via-powershell-remoting.asciidoc new file mode 100644 index 0000000000..da7392ec05 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-execution-via-powershell-remoting.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-0-14-3-incoming-execution-via-powershell-remoting]] +=== Incoming Execution via PowerShell Remoting + +Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 30s + [network where network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and + network.protocol == "http" and source.address != "127.0.0.1" and source.address != "::1" + ] + [process where event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-execution-via-winrm-remote-shell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-execution-via-winrm-remote-shell.asciidoc new file mode 100644 index 0000000000..fb6239b12f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-incoming-execution-via-winrm-remote-shell.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-0-14-3-incoming-execution-via-winrm-remote-shell]] +=== Incoming Execution via WinRM Remote Shell + +Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=30s + [network where process.pid == 4 and network.direction : ("incoming", "ingress") and + destination.port in (5985, 5986) and network.protocol == "http" and not source.address in ("::1", "127.0.0.1") + ] + [process where event.type == "start" and process.parent.name : "winrshost.exe" and not process.name : "conhost.exe"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-installutil-process-making-network-connections.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-installutil-process-making-network-connections.asciidoc new file mode 100644 index 0000000000..f5efa6937e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-installutil-process-making-network-connections.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-3-installutil-process-making-network-connections]] +=== InstallUtil Process Making Network Connections + +Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ + +sequence by process.entity_id + [process where event.type in ("start", "process_started") and process.name : "installutil.exe"] + [network where process.name : "installutil.exe" and network.direction : ("outgoing", "egress")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Signed Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: InstallUtil +** ID: T1218.004 +** Reference URL: https://attack.mitre.org/techniques/T1218/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-kerberos-traffic-from-unusual-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-kerberos-traffic-from-unusual-process.asciidoc new file mode 100644 index 0000000000..1890bada77 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-kerberos-traffic-from-unusual-process.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-0-14-3-kerberos-traffic-from-unusual-process]] +=== Kerberos Traffic from Unusual Process + +Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +network where event.type == "start" and network.direction : ("outgoing", "egress") and + destination.port == 88 and source.port >= 49152 and + process.executable != "C:\\Windows\\System32\\lsass.exe" and destination.address !="127.0.0.1" and destination.address !="::1" and + /* insert False Positives here */ + not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-lateral-tool-transfer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-lateral-tool-transfer.asciidoc new file mode 100644 index 0000000000..5b8b102744 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-lateral-tool-transfer.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-0-14-3-lateral-tool-transfer]] +=== Lateral Tool Transfer + +Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=30s + [network where event.type == "start" and process.pid == 4 and destination.port == 445 and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.address != "127.0.0.1" and source.address != "::1" + ] by process.entity_id + /* add more executable extensions here if they are not noisy in your environment */ + [file where event.type in ("creation", "change") and process.pid == 4 and file.extension : ("exe", "dll", "bat", "cmd")] by process.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Lateral Tool Transfer +** ID: T1570 +** Reference URL: https://attack.mitre.org/techniques/T1570/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-local-scheduled-task-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-local-scheduled-task-creation.asciidoc new file mode 100644 index 0000000000..c70e7a5bff --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-local-scheduled-task-creation.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-0-14-3-local-scheduled-task-creation]] +=== Local Scheduled Task Creation + +A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [process where event.type != "end" and + ((process.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe", + "powershell.exe", "pwsh.exe", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe", "winrshost.exe") or + process.pe.original_file_name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe", + "powershell.exe", "pwsh.dll", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe", + "winrshost.exe")) or + process.code_signature.trusted == false)] by process.entity_id + [process where event.type == "start" and + (process.name : "schtasks.exe" or process.pe.original_file_name == "schtasks.exe") and + process.args : ("/create", "-create") and process.args : ("/RU", "/SC", "/TN", "/TR", "/F", "/XML") and + /* exclude SYSTEM SIDs - look for task creations by non-SYSTEM user */ + not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-365-potential-ransomware-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-365-potential-ransomware-activity.asciidoc new file mode 100644 index 0000000000..a2cdfc83db --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-365-potential-ransomware-activity.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-0-14-3-microsoft-365-potential-ransomware-activity]] +=== Microsoft 365 Potential ransomware activity + +Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy +* https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 2 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-build-engine-started-by-a-script-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-build-engine-started-by-a-script-process.asciidoc new file mode 100644 index 0000000000..257de39a5a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-build-engine-started-by-a-script-process.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-3-microsoft-build-engine-started-by-a-script-process]] +=== Microsoft Build Engine Started by a Script Process + +An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe") and + process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe", "mshta.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc new file mode 100644 index 0000000000..7dc7855185 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-0-14-3-microsoft-exchange-worker-spawning-suspicious-processes]] +=== Microsoft Exchange Worker Spawning Suspicious Processes + +Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities +* https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or + process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-network-connection-via-mshta.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-network-connection-via-mshta.asciidoc new file mode 100644 index 0000000000..40db4f2f3b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-network-connection-via-mshta.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-3-network-connection-via-mshta]] +=== Network Connection via Mshta + +Identifies mshta.exe making a network connection. This may indicate adversarial activity, as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +/* duplicate of Mshta Making Network Connections - c2d90150-0133-451c-a783-533e736c12d7 */ + +sequence by process.entity_id + [process where process.name : "mshta.exe" and event.type == "start"] + [network where process.name : "mshta.exe"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Signed Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-network-connection-via-signed-binary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-network-connection-via-signed-binary.asciidoc new file mode 100644 index 0000000000..5baf13b545 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-network-connection-via-signed-binary.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-0-14-3-network-connection-via-signed-binary]] +=== Network Connection via Signed Binary + +Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where (process.name : "expand.exe" or process.name : "extrac32.exe" or + process.name : "ieexec.exe" or process.name : "makecab.exe") and + event.type == "start"] + [network where (process.name : "expand.exe" or process.name : "extrac32.exe" or + process.name : "ieexec.exe" or process.name : "makecab.exe") and + not cidrmatch(destination.ip, + "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", + "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", + "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Signed Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-new-activesyncalloweddeviceid-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-new-activesyncalloweddeviceid-added-via-powershell.asciidoc new file mode 100644 index 0000000000..976093b1f9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-new-activesyncalloweddeviceid-added-via-powershell.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-3-new-activesyncalloweddeviceid-added-via-powershell]] +=== New ActiveSyncAllowedDeviceID Added via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Exchange Email Delegate Permissions +** ID: T1098.002 +** Reference URL: https://attack.mitre.org/techniques/T1098/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-outbound-scheduled-task-activity-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-outbound-scheduled-task-activity-via-powershell.asciidoc new file mode 100644 index 0000000000..41374b8814 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-outbound-scheduled-task-activity-via-powershell.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-3-outbound-scheduled-task-activity-via-powershell]] +=== Outbound Scheduled Task Activity via PowerShell + +Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan = 5s + [library where dll.name : "taskschd.dll" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] + [network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc new file mode 100644 index 0000000000..66ade5ce93 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-0-14-3-potential-credential-access-via-duplicatehandle-in-lsass]] +=== Potential Credential Access via DuplicateHandle in LSASS + +Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/CCob/MirrorDump + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.code == "10" and + + /* LSASS requesting DuplicateHandle access right to another process */ + process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and + + /* call is coming from an unknown executable region */ + winlog.event_data.CallTrace : "*UNKNOWN*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-lsass-memory-dump.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-lsass-memory-dump.asciidoc new file mode 100644 index 0000000000..14d30e48c3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-lsass-memory-dump.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-0-14-3-potential-credential-access-via-lsass-memory-dump]] +=== Potential Credential Access via LSASS Memory Dump + +Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.code == "10" and + winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and + + /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/ + winlog.event_data.CallTrace : ("*dbhelp*", "*dbgcore*") and + + /* case of lsass crashing */ + not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-renamed-com-services-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-renamed-com-services-dll.asciidoc new file mode 100644 index 0000000000..9970b3219e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-credential-access-via-renamed-com-services-dll.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-0-14-3-potential-credential-access-via-renamed-com-services-dll]] +=== Potential Credential Access via Renamed COM+ Services DLL + +Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original +File Name. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m + [process where event.category == "process" and + process.name : "rundll32.exe"] + [process where event.category == "process" and event.dataset : "windows.sysmon_operational" and event.code == "7" and + (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and + /* renamed COMSVCS */ + not file.name : "COMSVCS.DLL"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc new file mode 100644 index 0000000000..527bce7b19 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-0-14-3-potential-lsass-clone-creation-via-psscapturesnapshot]] +=== Potential LSASS Clone Creation via PssCaptureSnapShot + +Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ +* https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.code:"4688" and + process.executable : "?:\\Windows\\System32\\lsass.exe" and + process.parent.executable : "?:\\Windows\\System32\\lsass.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc new file mode 100644 index 0000000000..fab53f4b9e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-0-14-3-potential-lsass-memory-dump-via-psscapturesnapshot]] +=== Potential LSASS Memory Dump via PssCaptureSnapShot + +Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access. + +*Rule type*: threshold + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ +* https://twitter.com/sbousseaden/status/1280619931516747777?lang=en + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold +rule cardinality feature. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.code:10 and + winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\System32\\lsass.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-process-injection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-process-injection-via-powershell.asciidoc new file mode 100644 index 0000000000..b52876ddd0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-process-injection-via-powershell.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-0-14-3-potential-process-injection-via-powershell]] +=== Potential Process Injection via PowerShell + +Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1 +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1 +* https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or + LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and + (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or + SuspendThread or ResumeThread) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Dynamic-link Library Injection +** ID: T1055.001 +** Reference URL: https://attack.mitre.org/techniques/T1055/001/ +* Sub-technique: +** Name: Portable Executable Injection +** ID: T1055.002 +** Reference URL: https://attack.mitre.org/techniques/T1055/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-sharprdp-behavior.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-sharprdp-behavior.asciidoc new file mode 100644 index 0000000000..d9e0000ac6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-sharprdp-behavior.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-0-14-3-potential-sharprdp-behavior]] +=== Potential SharpRDP Behavior + +Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3 +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ + +sequence by host.id with maxspan=1m + [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.address != "127.0.0.1" and source.address != "::1" + ] + + [registry where process.name : "explorer.exe" and + registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and + registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*") + ] + + [process where event.type in ("start", "process_started") and + (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and + not process.name : "conhost.exe" + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-windows-error-manager-masquerading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-windows-error-manager-masquerading.asciidoc new file mode 100644 index 0000000000..7e1887c804 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-potential-windows-error-manager-masquerading.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-3-potential-windows-error-manager-masquerading]] +=== Potential Windows Error Manager Masquerading + +Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/SBousseaden/status/1235533224337641473 +* https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/ +* https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan = 5s + [process where event.type:"start" and process.name : ("wermgr.exe", "WerFault.exe") and process.args_count == 1] + [network where process.name : ("wermgr.exe", "WerFault.exe") and network.protocol != "dns" and + network.direction : ("outgoing", "egress") and destination.ip !="::1" and destination.ip !="127.0.0.1" + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-keylogging-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-keylogging-script.asciidoc new file mode 100644 index 0000000000..354804519a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-keylogging-script.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-0-14-3-powershell-keylogging-script]] +=== PowerShell Keylogging Script + +Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1 +* https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Collection + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + ( + powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or Get-Keystrokes) or + powershell.file.script_block_text : ((SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or WM_KEYBOARD_LL)) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Input Capture +** ID: T1056 +** Reference URL: https://attack.mitre.org/techniques/T1056/ +* Sub-technique: +** Name: Keylogging +** ID: T1056.001 +** Reference URL: https://attack.mitre.org/techniques/T1056/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-minidump-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-minidump-script.asciidoc new file mode 100644 index 0000000000..1089ad27aa --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-minidump-script.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-0-14-3-powershell-minidump-script]] +=== PowerShell MiniDump Script + +This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1 +* https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-suspicious-discovery-related-windows-api-functions.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-suspicious-discovery-related-windows-api-functions.asciidoc new file mode 100644 index 0000000000..343133b06b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-suspicious-discovery-related-windows-api-functions.asciidoc @@ -0,0 +1,99 @@ +[[prebuilt-rule-0-14-3-powershell-suspicious-discovery-related-windows-api-functions]] +=== PowerShell Suspicious Discovery Related Windows API Functions + +This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + NetShareEnum or + NetWkstaUserEnum or + NetSessionEnum or + NetLocalGroupEnum or + NetLocalGroupGetMembers or + DsGetSiteName or + DsEnumerateDomainTrusts or + WTSEnumerateSessionsEx or + WTSQuerySessionInformation or + LsaGetLogonSessionData or + QueryServiceObjectSecurity + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Share Discovery +** ID: T1135 +** Reference URL: https://attack.mitre.org/techniques/T1135/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc new file mode 100644 index 0000000000..6300bc61df --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-0-14-3-powershell-suspicious-script-with-audio-capture-capabilities]] +=== PowerShell Suspicious Script with Audio Capture Capabilities + +Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Collection + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Audio Capture +** ID: T1123 +** Reference URL: https://attack.mitre.org/techniques/T1123/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc new file mode 100644 index 0000000000..3739a1c27e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-0-14-3-privilege-escalation-via-rogue-named-pipe-impersonation]] +=== Privilege Escalation via Rogue Named Pipe Impersonation + +Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/ +* https://github.com/zcgonvh/EfsPotato +* https://twitter.com/SBousseaden/status/1429530155291193354 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings: +`condition equal "contains" and keyword equal "pipe"` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action : "Pipe Created*" and + /* normal sysmon named pipe creation events truncate the pipe keyword */ + file.name : "\\*\\Pipe\\*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-process-activity-via-compiled-html-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-process-activity-via-compiled-html-file.asciidoc new file mode 100644 index 0000000000..03c7f0022c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-process-activity-via-compiled-html-file.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-0-14-3-process-activity-via-compiled-html-file]] +=== Process Activity via Compiled HTML File + +Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "hh.exe" and + process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Signed Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Compiled HTML File +** ID: T1218.001 +** Reference URL: https://attack.mitre.org/techniques/T1218/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-ransomware-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-ransomware-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..a0c7b3b33d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-ransomware-detected-elastic-endgame.asciidoc @@ -0,0 +1,45 @@ +[[prebuilt-rule-0-14-3-ransomware-detected-elastic-endgame]] +=== Ransomware - Detected - Elastic Endgame + +Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-ransomware-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-ransomware-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..532a394fd1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-ransomware-prevented-elastic-endgame.asciidoc @@ -0,0 +1,45 @@ +[[prebuilt-rule-0-14-3-ransomware-prevented-elastic-endgame]] +=== Ransomware - Prevented - Elastic Endgame + +Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-file-download-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-file-download-via-powershell.asciidoc new file mode 100644 index 0000000000..1715f27c6a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-file-download-via-powershell.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-0-14-3-remote-file-download-via-powershell]] +=== Remote File Download via PowerShell + +Identifies powershell.exe being used to download an executable file from an untrusted remote destination. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Command and Control + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=30s + [network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and + not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and + not user.domain : "NT AUTHORITY"] + [file where process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and + not file.name : "__PSScriptPolicy*.ps1"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-file-download-via-script-interpreter.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-file-download-via-script-interpreter.asciidoc new file mode 100644 index 0000000000..2921717d09 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-file-download-via-script-interpreter.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-0-14-3-remote-file-download-via-script-interpreter]] +=== Remote File Download via Script Interpreter + +Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Command and Control + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id + [network where process.name : ("wscript.exe", "cscript.exe") and network.protocol != "dns" and + network.direction : ("outgoing", "egress") and network.type == "ipv4" and destination.ip != "127.0.0.1" + ] + [file where event.type == "creation" and file.extension : ("exe", "dll")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-scheduled-task-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-scheduled-task-creation.asciidoc new file mode 100644 index 0000000000..3270b9d2b4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remote-scheduled-task-creation.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-0-14-3-remote-scheduled-task-creation]] +=== Remote Scheduled Task Creation + +Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Creation of Remote Scheduled Tasks + +[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism used for persistence and executing programs. These features can +be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. +When investigating scheduled tasks that have been set-up remotely, one of the first methods should be determining the +original intent behind the configuration and verify if the activity is tied to benign behavior such as software installations or any kind +of network administrator work. One objective for these alerts is to understand the configured action within the scheduled +task, this is captured within the registry event data for this rule and can be base64 decoded to view the value. + +#### Possible investigation steps: +- Review the base64 encoded tasks actions registry value to investigate the task configured action. +- Determine if task is related to legitimate or benign behavior based on the corresponding process or program tied to the +scheduled task. +- Further examination should include both the source and target machines where host-based artifacts and network logs +should be reviewed further around the time window of the creation of the scheduled task. + +### False Positive Analysis +- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature +within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to +further understand the source of the activity and determine the intent based on the scheduled task contents. + +### Related Rules +- Service Command Lateral Movement +- Remotely Started Services via RPC + +### Response and Remediation +- This behavior represents post-exploitation actions such as persistence or lateral movement, immediate response should +be taken to review and investigate the activity and potentially isolate involved machines to prevent further post-compromise +behavior. +- Remove scheduled task and any other related artifacts to the activity. +- Review privileged account management and user account management settings such as implementing GPO policies to further +restrict activity or configure settings that only allow Administrators to create remote scheduled tasks. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +/* Task Scheduler service incoming connection followed by TaskCache registry modification */ + +sequence by host.id, process.entity_id with maxspan = 1m + [network where process.name : "svchost.exe" and + network.direction : ("incoming", "ingress") and source.port >= 49152 and destination.port >= 49152 and + source.address != "127.0.0.1" and source.address != "::1" + ] + [registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remotely-started-services-via-rpc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remotely-started-services-via-rpc.asciidoc new file mode 100644 index 0000000000..d0f441557a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-remotely-started-services-via-rpc.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-0-14-3-remotely-started-services-via-rpc]] +=== Remotely Started Services via RPC + +Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators." + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1s + [network where process.name : "services.exe" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.port >= 49152 and destination.port >= 49152 and source.address not in ("127.0.0.1", "::1") + ] by host.id, process.entity_id + + [process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and + not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and + not (process.name : "msiexec.exe" and process.args : "/V") + + /* uncomment if psexec is noisy in your environment */ + /* and not process.name : "PSEXESVC.exe" */ + ] by host.id, process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc new file mode 100644 index 0000000000..c5dce906ed --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-0-14-3-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet]] +=== Roshal Archive (RAR) or PowerShell File Downloaded from the Internet + +Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html +* https://www.justice.gov/opa/press-release/file/1084361/download +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Network +* Threat Detection +* Command and Control +* Host + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Threat intel + +This activity has been observed in FIN7 campaigns. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and network.protocol:http and + (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and + not destination.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.2.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.168.0.0/16 or + 192.88.99.0/24 or + 224.0.0.0/4 or + 100.64.0.0/10 or + 192.175.48.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" + ) and + source.ip:( + 10.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16 + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-scheduled-task-created-by-a-windows-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-scheduled-task-created-by-a-windows-script.asciidoc new file mode 100644 index 0000000000..c846516a5b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-scheduled-task-created-by-a-windows-script.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-0-14-3-scheduled-task-created-by-a-windows-script]] +=== Scheduled Task Created by a Windows Script + +A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 30s + [library where dll.name : "taskschd.dll" and process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")] + [registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-certutil-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-certutil-commands.asciidoc new file mode 100644 index 0000000000..7172bb6947 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-certutil-commands.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-3-suspicious-certutil-commands]] +=== Suspicious CertUtil Commands + +Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/Moriarty_Meng/status/984380793383370752 +* https://twitter.com/egre55/status/1087685529016193025 +* https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx +* https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 10 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and + process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex", "?exportPFX") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-java-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-java-child-process.asciidoc new file mode 100644 index 0000000000..b941916af5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-java-child-process.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-3-suspicious-java-child-process]] +=== Suspicious JAVA Child Process + +Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.lunasec.io/docs/blog/log4j-zero-day/ +* https://github.com/christophetd/log4shell-vulnerable-app +* https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf + +*Tags*: + +* Elastic +* Host +* Linux +* macOS +* Threat Detection +* Execution + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "java" and + process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-net-reflection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-net-reflection-via-powershell.asciidoc new file mode 100644 index 0000000000..814329a64a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-net-reflection-via-powershell.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-0-14-3-suspicious-net-reflection-via-powershell]] +=== Suspicious .NET Reflection via PowerShell + +This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + "[System.Reflection.Assembly]::Load" or + "[Reflection.Assembly]::Load" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Dynamic-link Library Injection +** ID: T1055.001 +** Reference URL: https://attack.mitre.org/techniques/T1055/001/ +* Sub-technique: +** Name: Portable Executable Injection +** ID: T1055.002 +** Reference URL: https://attack.mitre.org/techniques/T1055/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-portable-executable-encoded-in-powershell-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-portable-executable-encoded-in-powershell-script.asciidoc new file mode 100644 index 0000000000..73373006eb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-portable-executable-encoded-in-powershell-script.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-0-14-3-suspicious-portable-executable-encoded-in-powershell-script]] +=== Suspicious Portable Executable Encoded in Powershell Script + +Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to disk. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + TVqQAAMAAAAEAAAA + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-process-access-via-direct-system-call.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-process-access-via-direct-system-call.asciidoc new file mode 100644 index 0000000000..2505488775 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-process-access-via-direct-system-call.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-0-14-3-suspicious-process-access-via-direct-system-call]] +=== Suspicious Process Access via Direct System Call + +Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/SBousseaden/status/1278013896440324096 +* https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.code == "10" and + length(winlog.event_data.CallTrace) > 0 and + + /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */ + not winlog.event_data.CallTrace : ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", "?:\\WINDOWS\\SysWOW64\\ntdll.dll*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-process-creation-calltrace.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-process-creation-calltrace.asciidoc new file mode 100644 index 0000000000..709cf08033 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-process-creation-calltrace.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-3-suspicious-process-creation-calltrace]] +=== Suspicious Process Creation CallTrace + +Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection or hollowing attempt. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 43 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [process where event.code == "1" and + /* sysmon process creation */ + process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe", + "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe", + "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe", + "wmic.exe", "cmstp.exe", "msxsl.exe")] by process.parent.entity_id, process.entity_id + [process where event.code == "10" and + /* Sysmon process access event from unknown module */ + winlog.event_data.CallTrace : "*UNKNOWN*"] by process.entity_id, winlog.event_data.TargetProcessGUID + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-zoom-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-zoom-child-process.asciidoc new file mode 100644 index 0000000000..001f1875b9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-suspicious-zoom-child-process.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-0-14-3-suspicious-zoom-child-process]] +=== Suspicious Zoom Child Process + +A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started", "info") and + process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-system-shells-via-services.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-system-shells-via-services.asciidoc new file mode 100644 index 0000000000..11ce279318 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-system-shells-via-services.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-0-14-3-system-shells-via-services]] +=== System Shells via Services + +Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "services.exe" and + process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") and + + /* Third party FP's */ + not process.args : "NVDisplay.ContainerLocalSystem" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-third-party-backup-files-deleted-via-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-third-party-backup-files-deleted-via-unexpected-process.asciidoc new file mode 100644 index 0000000000..3cfeb11c84 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-third-party-backup-files-deleted-via-unexpected-process.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-0-14-3-third-party-backup-files-deleted-via-unexpected-process]] +=== Third-party Backup Files Deleted via Unexpected Process + +Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Impact + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "deletion" and + ( + /* Veeam Related Backup Files */ + (file.extension : ("VBK", "VIB", "VBM") and + not process.executable : ("?:\\Windows\\Veeam\\Backup\\*", + "?:\\Program Files\\Veeam\\Backup and Replication\\*", + "?:\\Program Files (x86)\\Veeam\\Backup and Replication\\*")) or + + /* Veritas Backup Exec Related Backup File */ + (file.extension : "BKF" and + not process.executable : ("?:\\Program Files\\Veritas\\Backup Exec\\*", + "?:\\Program Files (x86)\\Veritas\\Backup Exec\\*")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-threat-intel-filebeat-module-v7-x-indicator-match.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-threat-intel-filebeat-module-v7-x-indicator-match.asciidoc new file mode 100644 index 0000000000..3cc21fdd80 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-threat-intel-filebeat-module-v7-x-indicator-match.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-0-14-3-threat-intel-filebeat-module-v7-x-indicator-match]] +=== Threat Intel Filebeat Module (v7.x) Indicator Match + +This rule is triggered when indicators from the Threat Intel Filebeat module (v7.x) has a match against local file or network observations. + +*Rule type*: threat_match + +*Rule indices*: + +* auditbeat-* +* endgame-* +* filebeat-* +* logs-* +* packetbeat-* +* winlogbeat-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 1h + +*Searches indices from*: now-65m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html + +*Tags*: + +* Elastic +* Windows +* Elastic Endgame +* Network +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and Analysis + +### Investigating Threat Intel Indicator Matches + +Threat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file +hash with an entry of a file hash stored within the Threat Intel Filebeat module. Other examples of matches can occur on +an IP address, registry path, URL and imphash. + +The matches will be based on the incoming feed data so it's important to validate the data and review the results by +investigating the associated activity to determine if it requires further investigation. + +If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched. + +- `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation +- `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation +- `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation + +#### Possible investigation steps: +- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched +and viewing the source of that activity. +- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? +These kinds of questions can help understand if the activity is related to legitimate behavior. +- Consider the user and their role within the company, is this something related to their job or work function? + +### False Positive Analysis +- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can +be a great tool for augmenting existing security processes, while at the same time it should be understood that threat +intelligence can represent a specific set of activity observed at a point in time. For example, an IP address +may have hosted malware observed in a Dridex campaign six months ago, but it's possible that IP has been remediated and +no longer represents any threat. +- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their +way into indicator lists creating the potential for false positives. +- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules + +### Response and Remediation +- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further +post-compromise behavior. +- One example of a response if a machine matched a command and control IP address would be to add an entry to a network +device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine. +- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, +review current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:* + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-volume-shadow-copy-deletion-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-volume-shadow-copy-deletion-via-powershell.asciidoc new file mode 100644 index 0000000000..741a170b0c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-volume-shadow-copy-deletion-via-powershell.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-0-14-3-volume-shadow-copy-deletion-via-powershell]] +=== Volume Shadow Copy Deletion via PowerShell + +Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy +* https://powershell.one/wmi/root/cimv2/win32_shadowcopy +* https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Impact + +*Version*: 2 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.args : ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*") and + process.args : ("*Win32_ShadowCopy*") and + process.args : ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-webshell-detection-script-process-child-of-common-web-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-webshell-detection-script-process-child-of-common-web-processes.asciidoc new file mode 100644 index 0000000000..0af73a3720 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-webshell-detection-script-process-child-of-common-web-processes.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-0-14-3-webshell-detection-script-process-child-of-common-web-processes]] +=== Webshell Detection: Script Process Child of Common Web Processes + +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Detections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and + process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-whitespace-padding-in-process-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-whitespace-padding-in-process-command-line.asciidoc new file mode 100644 index 0000000000..4e4f45cb2e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-whitespace-padding-in-process-command-line.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-0-14-3-whitespace-padding-in-process-command-line]] +=== Whitespace Padding in Process Command Line + +Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/JohnLaTwC/status/1419251082736201737 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +- Analyze the command line of the process in question for evidence of malicious code execution. +- Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.command_line regex ".*[ ]{20,}.*" or + + /* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */ + process.command_line regex ".*(.*[ ]{5,}[^ ]*){3,}.*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-windows-defender-exclusions-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-windows-defender-exclusions-added-via-powershell.asciidoc new file mode 100644 index 0000000000..d04cc12ca6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-windows-defender-exclusions-added-via-powershell.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-0-14-3-windows-defender-exclusions-added-via-powershell]] +=== Windows Defender Exclusions Added via PowerShell + +Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Defender Exclusions + +Microsoft Windows Defender is an anti-virus product built-in within Microsoft Windows. Since this software product is +used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration +settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more +notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defense to avoid detection. + +#### Possible investigation steps: +- With this specific rule, it's completely possible to trigger detections on network administrative activity or benign users +using scripting and PowerShell to configure the different exclusions for Windows Defender. Therefore, it's important to +identify the source of the activity first and determine if there is any mal-intent behind the events. +- The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original +intent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs +to be legitimately whitelisted from Windows Defender? + +### False Positive Analysis +- This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly +a network administrator. In order to validate the activity further, review the specific exclusion made and determine based +on the exclusion of the original intent behind the exclusion. There are often many legitimate reasons why exclusions are made +with Windows Defender so it's important to gain context around the exclusion. + +### Related Rules +- Windows Defender Disabled via Registry Modification +- Disabling Windows Defender Security Settings via PowerShell + +### Response and Remediation +- Since this is related to post-exploitation activity, immediate response should be taken to review, investigate and +potentially isolate further activity +- If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove +the exclusion and ensure antimalware capability has not been disabled or deleted +- Exclusion lists for antimalware capabilities should always be routinely monitored for review + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and + process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and + process.args : ("*-Exclusion*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-windows-firewall-disabled-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-windows-firewall-disabled-via-powershell.asciidoc new file mode 100644 index 0000000000..57e147c00e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-windows-firewall-disabled-via-powershell.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-0-14-3-windows-firewall-disabled-via-powershell]] +=== Windows Firewall Disabled via PowerShell + +Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network constraints, like internet and network lateral communication restrictions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps +* https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell +* http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +* http://woshub.com/manage-windows-firewall-powershell/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and + process.args : "*Set-NetFirewallProfile*" and + (process.args : "*-Enabled*" and process.args : "*False*") and + (process.args : "*-All*" or process.args : ("*Public*", "*Domain*", "*Private*")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-wmi-incoming-lateral-movement.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-wmi-incoming-lateral-movement.asciidoc new file mode 100644 index 0000000000..25b771759a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-wmi-incoming-lateral-movement.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-0-14-3-wmi-incoming-lateral-movement]] +=== WMI Incoming Lateral Movement + +Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 2s + + /* Accepted Incoming RPC connection by Winmgmt service */ + + [network where process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and + source.address != "127.0.0.1" and source.address != "::1" and + source.port >= 49152 and destination.port >= 49152 + ] + + /* Excluding Common FPs Nessus and SCCM */ + + [process where event.type in ("start", "process_started") and process.parent.name : "WmiPrvSE.exe" and + not process.args : ("C:\\windows\\temp\\nessus_*.txt", + "C:\\windows\\TEMP\\nessus_*.TMP", + "C:\\Windows\\CCM\\SystemTemp\\*", + "C:\\Windows\\CCMCache\\*", + "C:\\CCM\\Cache\\*") + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rules-0-14-3-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rules-0-14-3-appendix.asciidoc new file mode 100644 index 0000000000..5ea95d7271 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rules-0-14-3-appendix.asciidoc @@ -0,0 +1,87 @@ +["appendix",role="exclude",id="prebuilt-rule-0-14-3-prebuilt-rules-0-14-3-appendix"] += Downloadable rule update v0.14.3 + +This section lists all updates associated with version 0.14.3 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-0-14-3-aws-rds-snapshot-export.asciidoc[] +include::prebuilt-rule-0-14-3-aws-rds-snapshot-restored.asciidoc[] +include::prebuilt-rule-0-14-3-aws-eventbridge-rule-disabled-or-deleted.asciidoc[] +include::prebuilt-rule-0-14-3-aws-efs-file-system-or-mount-deleted.asciidoc[] +include::prebuilt-rule-0-14-3-aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc[] +include::prebuilt-rule-0-14-3-aws-route-table-created.asciidoc[] +include::prebuilt-rule-0-14-3-aws-saml-activity.asciidoc[] +include::prebuilt-rule-0-14-3-aws-security-token-service-sts-assumerole-usage.asciidoc[] +include::prebuilt-rule-0-14-3-azure-full-network-packet-capture-detected.asciidoc[] +include::prebuilt-rule-0-14-3-azure-blob-permissions-modification.asciidoc[] +include::prebuilt-rule-0-14-3-azure-kubernetes-events-deleted.asciidoc[] +include::prebuilt-rule-0-14-3-azure-kubernetes-pods-deleted.asciidoc[] +include::prebuilt-rule-0-14-3-azure-virtual-network-device-modified-or-deleted.asciidoc[] +include::prebuilt-rule-0-14-3-azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc[] +include::prebuilt-rule-0-14-3-azure-kubernetes-rolebindings-created.asciidoc[] +include::prebuilt-rule-0-14-3-gcp-kubernetes-rolebindings-created-or-patched.asciidoc[] +include::prebuilt-rule-0-14-3-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc[] +include::prebuilt-rule-0-14-3-powershell-keylogging-script.asciidoc[] +include::prebuilt-rule-0-14-3-powershell-minidump-script.asciidoc[] +include::prebuilt-rule-0-14-3-potential-credential-access-via-renamed-com-services-dll.asciidoc[] +include::prebuilt-rule-0-14-3-potential-credential-access-via-lsass-memory-dump.asciidoc[] +include::prebuilt-rule-0-14-3-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc[] +include::prebuilt-rule-0-14-3-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc[] +include::prebuilt-rule-0-14-3-clearing-windows-console-history.asciidoc[] +include::prebuilt-rule-0-14-3-dns-over-https-enabled-via-registry.asciidoc[] +include::prebuilt-rule-0-14-3-suspicious-net-reflection-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-3-potential-process-injection-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-3-windows-firewall-disabled-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-3-suspicious-process-access-via-direct-system-call.asciidoc[] +include::prebuilt-rule-0-14-3-suspicious-process-creation-calltrace.asciidoc[] +include::prebuilt-rule-0-14-3-powershell-suspicious-discovery-related-windows-api-functions.asciidoc[] +include::prebuilt-rule-0-14-3-enumeration-of-privileged-local-groups-membership.asciidoc[] +include::prebuilt-rule-0-14-3-suspicious-portable-executable-encoded-in-powershell-script.asciidoc[] +include::prebuilt-rule-0-14-3-account-password-reset-remotely.asciidoc[] +include::prebuilt-rule-0-14-3-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc[] +include::prebuilt-rule-0-14-3-suspicious-java-child-process.asciidoc[] +include::prebuilt-rule-0-14-3-hosts-file-modified.asciidoc[] +include::prebuilt-rule-0-14-3-threat-intel-filebeat-module-v7-x-indicator-match.asciidoc[] +include::prebuilt-rule-0-14-3-gcp-virtual-private-cloud-route-creation.asciidoc[] +include::prebuilt-rule-0-14-3-microsoft-365-potential-ransomware-activity.asciidoc[] +include::prebuilt-rule-0-14-3-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc[] +include::prebuilt-rule-0-14-3-ransomware-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-0-14-3-ransomware-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-0-14-3-exporting-exchange-mailbox-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-3-remote-file-download-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-3-remote-file-download-via-script-interpreter.asciidoc[] +include::prebuilt-rule-0-14-3-kerberos-traffic-from-unusual-process.asciidoc[] +include::prebuilt-rule-0-14-3-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc[] +include::prebuilt-rule-0-14-3-clearing-windows-event-logs.asciidoc[] +include::prebuilt-rule-0-14-3-windows-defender-exclusions-added-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-3-disabling-windows-defender-security-settings-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-3-control-panel-process-with-unusual-arguments.asciidoc[] +include::prebuilt-rule-0-14-3-microsoft-build-engine-started-by-a-script-process.asciidoc[] +include::prebuilt-rule-0-14-3-installutil-process-making-network-connections.asciidoc[] +include::prebuilt-rule-0-14-3-potential-windows-error-manager-masquerading.asciidoc[] +include::prebuilt-rule-0-14-3-network-connection-via-signed-binary.asciidoc[] +include::prebuilt-rule-0-14-3-suspicious-certutil-commands.asciidoc[] +include::prebuilt-rule-0-14-3-suspicious-zoom-child-process.asciidoc[] +include::prebuilt-rule-0-14-3-whitespace-padding-in-process-command-line.asciidoc[] +include::prebuilt-rule-0-14-3-outbound-scheduled-task-activity-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-3-process-activity-via-compiled-html-file.asciidoc[] +include::prebuilt-rule-0-14-3-third-party-backup-files-deleted-via-unexpected-process.asciidoc[] +include::prebuilt-rule-0-14-3-volume-shadow-copy-deletion-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-3-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc[] +include::prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-via-mshta.asciidoc[] +include::prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-mmc.asciidoc[] +include::prebuilt-rule-0-14-3-incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.asciidoc[] +include::prebuilt-rule-0-14-3-lateral-tool-transfer.asciidoc[] +include::prebuilt-rule-0-14-3-incoming-execution-via-winrm-remote-shell.asciidoc[] +include::prebuilt-rule-0-14-3-wmi-incoming-lateral-movement.asciidoc[] +include::prebuilt-rule-0-14-3-incoming-execution-via-powershell-remoting.asciidoc[] +include::prebuilt-rule-0-14-3-potential-sharprdp-behavior.asciidoc[] +include::prebuilt-rule-0-14-3-remotely-started-services-via-rpc.asciidoc[] +include::prebuilt-rule-0-14-3-remote-scheduled-task-creation.asciidoc[] +include::prebuilt-rule-0-14-3-local-scheduled-task-creation.asciidoc[] +include::prebuilt-rule-0-14-3-scheduled-task-created-by-a-windows-script.asciidoc[] +include::prebuilt-rule-0-14-3-new-activesyncalloweddeviceid-added-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-3-component-object-model-hijacking.asciidoc[] +include::prebuilt-rule-0-14-3-system-shells-via-services.asciidoc[] +include::prebuilt-rule-0-14-3-webshell-detection-script-process-child-of-common-web-processes.asciidoc[] +include::prebuilt-rule-0-14-3-network-connection-via-mshta.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rules-0-14-3-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rules-0-14-3-summary.asciidoc new file mode 100644 index 0000000000..08acaf2e9a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rules-0-14-3-summary.asciidoc @@ -0,0 +1,174 @@ +[[prebuilt-rule-0-14-3-prebuilt-rules-0-14-3-summary]] +[role="xpack"] +== Update v0.14.3 + +This section lists all updates associated with version 0.14.3 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. | new | 1 + +|<> | Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. | new | 2 + +|<> | Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. | new | 2 + +|<> | Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. | new | 1 + +|<> | Identifies when a Route53 private hosted zone has been associated with VPC. | new | 1 + +|<> | Identifies when an AWS Route Table has been created. | new | 1 + +|<> | Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. | new | 1 + +|<> | Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. | new | 1 + +|<> | Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. | new | 1 + +|<> | Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss. | new | 1 + +|<> | Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. | new | 2 + +|<> | Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment. | new | 2 + +|<> | Identifies when a virtual network device is being modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router. | new | 1 + +|<> | Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics. | new | 1 + +|<> | Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles. | new | 1 + +|<> | Identifies the creation or patching of potential malicious rolebinding. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. | new | 1 + +|<> | Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. | new | 2 + +|<> | Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data. | new | 1 + +|<> | This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. | new | 2 + +|<> | Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access. | new | 1 + +|<> | Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access. | new | 1 + +|<> | Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access. | new | 1 + +|<> | Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access. | new | 1 + +|<> | Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. | new | 1 + +|<> | Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors. | new | 2 + +|<> | This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. | new | 1 + +|<> | Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes. | new | 1 + +|<> | Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network constraints, like internet and network lateral communication restrictions. | new | 1 + +|<> | Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. | new | 2 + +|<> | Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection or hollowing attempt. | new | 1 + +|<> | This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. | new | 2 + +|<> | Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users. | new | 1 + +|<> | Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to disk. | new | 2 + +|<> | Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. | new | 1 + +|<> | Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it. | new | 1 + +|<> | Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. | update | 3 + +|<> | The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. | update | 6 + +|<> | This rule is triggered when indicators from the Threat Intel Filebeat module (v7.x) has a match against local file or network observations. | update | 4 + +|<> | Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment. | update | 6 + +|<> | Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware. | update | 2 + +|<> | Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control. | update | 9 + +|<> | Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 7 + +|<> | Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 7 + +|<> | Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. | update | 6 + +|<> | Identifies powershell.exe being used to download an executable file from an untrusted remote destination. | update | 3 + +|<> | Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination. | update | 3 + +|<> | Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe. | update | 4 + +|<> | Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access. | update | 2 + +|<> | Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. | update | 11 + +|<> | Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level. | update | 5 + +|<> | Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings. | update | 2 + +|<> | Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code. | update | 2 + +|<> | An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads. | update | 10 + +|<> | Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection. | update | 4 + +|<> | Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections. | update | 4 + +|<> | Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. | update | 9 + +|<> | Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration. | update | 10 + +|<> | A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well. | update | 5 + +|<> | Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior. | update | 5 + +|<> | Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks. | update | 4 + +|<> | Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). | update | 10 + +|<> | Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. | update | 2 + +|<> | Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks. | update | 2 + +|<> | Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor. | update | 2 + +|<> | Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection. | update | 4 + +|<> | Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally. | update | 4 + +|<> | Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally. | update | 4 + +|<> | Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. | update | 3 + +|<> | Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement. | update | 3 + +|<> | Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. | update | 3 + +|<> | Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. | update | 3 + +|<> | Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement. | update | 4 + +|<> | Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators." | update | 3 + +|<> | Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement. | update | 5 + +|<> | A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges. | update | 9 + +|<> | A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence. | update | 5 + +|<> | Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information. | update | 6 + +|<> | Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. | update | 5 + +|<> | Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. | update | 10 + +|<> | Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. | update | 3 + +|<> | Identifies mshta.exe making a network connection. This may indicate adversarial activity, as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection. | deprecated | 5 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index 5c8baf1983..45feac1dd7 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -11,6 +11,10 @@ To download the latest updates, follow the instructions in <> | 13 Dec 2021 | 35 | 45 | +This release includes an update to an existing rule and adds a new rule to help detect https://www.elastic.co/blog/detecting-log4j2-with-elastic-security[CVE-2021-44228 (log4j2)]. +Also included are updates and new rules for cloud integrations, windows, PowerShell, and others. + |<> | 15 Oct 2021 | 18 | 89 | This release includes rules covering Windows endpoints, as well as several third-party integrations — including rules contributed by the community. @@ -37,4 +41,5 @@ include::downloadable-packages/0-13-1/prebuilt-rules-0-13-1-summary.asciidoc[lev include::downloadable-packages/0-13-2/prebuilt-rules-0-13-2-summary.asciidoc[leveloffset=+1] include::downloadable-packages/0-13-3/prebuilt-rules-0-13-3-summary.asciidoc[leveloffset=+1] include::downloadable-packages/0-14-1/prebuilt-rules-0-14-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/0-14-2/prebuilt-rules-0-14-2-summary.asciidoc[leveloffset=+1] \ No newline at end of file +include::downloadable-packages/0-14-2/prebuilt-rules-0-14-2-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/0-14-3/prebuilt-rules-0-14-3-summary.asciidoc[leveloffset=+1] \ No newline at end of file diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 2745f96a4e..c1c415abe8 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -62,3 +62,5 @@ include::detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rules-0 include::detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rules-0-14-1-appendix.asciidoc[] include::detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rules-0-14-2-appendix.asciidoc[] + +include::detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rules-0-14-3-appendix.asciidoc[]