Add rule docs for 8.1.0 updates (#1692)

Author: brokensound77

docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc

@@ -6,7 +6,70 @@ significant modifications to their query or scope are listed. For detailed
 information about a rule's changes, see the rule's description page.
 
 [float]
-=== 8.0
+=== 8.1.0
+
+<<account-password-reset-remotely>>
+
+<<attempts-to-brute-force-a-microsoft-365-user-account>>
+
+<<azure-virtual-network-device-modified-or-deleted>>
+
+<<disabling-user-account-control-via-registry-modification>>
+
+<<gcp-kubernetes-rolebindings-created-or-patched>>
+
+<<installation-of-security-support-provider>>
+
+<<kerberos-traffic-from-unusual-process>>
+
+<<local-scheduled-task-creation>>
+
+<<microsoft-365-inbox-forwarding-rule-created>>
+
+<<microsoft-windows-defender-tampering>>
+
+<<modification-of-amsienable-registry-key>>
+
+<<modification-of-wdigest-security-provider>>
+
+<<net-command-via-system-account>>
+
+<<network-connection-via-registration-utility>>
+
+<<o365-exchange-suspicious-mailbox-right-delegation>>
+
+<<persistence-via-hidden-run-key-detected>>
+
+<<port-forwarding-rule-addition>>
+
+<<potential-command-and-control-via-internet-explorer>>
+
+<<potential-credential-access-via-lsass-memory-dump>>
+
+<<potential-password-spraying-of-microsoft-365-user-accounts>>
+
+<<potential-port-monitor-or-print-processor-registration-abuse>>
+
+<<potential-privilege-escalation-via-installerfiletakeover>>
+
+<<rdp-enabled-via-registry>>
+
+<<registry-persistence-via-appcert-dll>>
+
+<<scheduled-tasks-at-command-enabled>>
+
+<<service-control-spawned-via-script-interpreter>>
+
+<<solarwinds-process-disabling-services-via-registry>>
+
+<<unusual-print-spooler-child-process>>
+
+<<volume-shadow-copy-deleted-or-resized-via-vssadmin>>
+
+<<windows-defender-disabled-via-registry-modification>>
+
+[float]
+=== 8.0.0
 
 <<application-added-to-google-workspace-domain>>
 

docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc

@@ -57,6 +57,7 @@ include::rule-details/access-to-keychain-credentials-directories.asciidoc[]
 include::rule-details/account-password-reset-remotely.asciidoc[]
 include::rule-details/adfind-command-activity.asciidoc[]
 include::rule-details/adding-hidden-file-attribute-via-attrib.asciidoc[]
+include::rule-details/adminsdholder-backdoor.asciidoc[]
 include::rule-details/administrator-privileges-assigned-to-an-okta-group.asciidoc[]
 include::rule-details/administrator-role-assigned-to-an-okta-user.asciidoc[]
 include::rule-details/adobe-hijack-persistence.asciidoc[]
@@ -103,6 +104,7 @@ include::rule-details/auditd-login-from-forbidden-location.asciidoc[]
 include::rule-details/auditd-max-failed-login-attempts.asciidoc[]
 include::rule-details/auditd-max-login-sessions.asciidoc[]
 include::rule-details/authorization-plugin-modification.asciidoc[]
+include::rule-details/azure-ad-global-administrator-role-assigned.asciidoc[]
 include::rule-details/azure-active-directory-high-risk-sign-in.asciidoc[]
 include::rule-details/azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc[]
 include::rule-details/azure-active-directory-powershell-sign-in.asciidoc[]
@@ -262,7 +264,9 @@ include::rule-details/installation-of-custom-shim-databases.asciidoc[]
 include::rule-details/installation-of-security-support-provider.asciidoc[]
 include::rule-details/interactive-terminal-spawned-via-perl.asciidoc[]
 include::rule-details/interactive-terminal-spawned-via-python.asciidoc[]
+include::rule-details/krbtgt-delegation-backdoor.asciidoc[]
 include::rule-details/kerberos-cached-credentials-dumping.asciidoc[]
+include::rule-details/kerberos-preauthentication-disabled-for-user.asciidoc[]
 include::rule-details/kerberos-traffic-from-unusual-process.asciidoc[]
 include::rule-details/kernel-module-removal.asciidoc[]
 include::rule-details/keychain-password-retrieval-via-command-line.asciidoc[]
@@ -273,6 +277,7 @@ include::rule-details/launch-agent-creation-or-modification-and-immediate-loadin
 include::rule-details/launchdaemon-creation-or-modification-and-immediate-loading.asciidoc[]
 include::rule-details/local-scheduled-task-creation.asciidoc[]
 include::rule-details/mfa-disabled-for-google-workspace-organization.asciidoc[]
+include::rule-details/ms-office-macro-security-registry-modifications.asciidoc[]
 include::rule-details/malware-detected-elastic-endgame.asciidoc[]
 include::rule-details/malware-prevented-elastic-endgame.asciidoc[]
 include::rule-details/microsoft-365-exchange-anti-phish-policy-deletion.asciidoc[]
@@ -286,7 +291,8 @@ include::rule-details/microsoft-365-exchange-safe-attachment-rule-disabled.ascii
 include::rule-details/microsoft-365-exchange-safe-link-policy-disabled.asciidoc[]
 include::rule-details/microsoft-365-exchange-transport-rule-creation.asciidoc[]
 include::rule-details/microsoft-365-exchange-transport-rule-modification.asciidoc[]
-include::rule-details/microsoft-365-new-inbox-rule-created.asciidoc[]
+include::rule-details/microsoft-365-global-administrator-role-assigned.asciidoc[]
+include::rule-details/microsoft-365-inbox-forwarding-rule-created.asciidoc[]
 include::rule-details/microsoft-365-potential-ransomware-activity.asciidoc[]
 include::rule-details/microsoft-365-teams-custom-application-interaction-allowed.asciidoc[]
 include::rule-details/microsoft-365-teams-external-access-enabled.asciidoc[]
@@ -333,10 +339,12 @@ include::rule-details/new-activesyncalloweddeviceid-added-via-powershell.asciido
 include::rule-details/new-or-modified-federation-domain.asciidoc[]
 include::rule-details/nping-process-activity.asciidoc[]
 include::rule-details/nullsessionpipe-registry-modification.asciidoc[]
+include::rule-details/o365-email-reported-by-user-as-malware-or-phish.asciidoc[]
 include::rule-details/o365-excessive-single-sign-on-logon-errors.asciidoc[]
 include::rule-details/o365-exchange-suspicious-mailbox-right-delegation.asciidoc[]
 include::rule-details/o365-mailbox-audit-logging-bypass.asciidoc[]
 include::rule-details/okta-brute-force-or-password-spraying-attack.asciidoc[]
+include::rule-details/onedrive-malware-file-upload.asciidoc[]
 include::rule-details/outbound-scheduled-task-activity-via-powershell.asciidoc[]
 include::rule-details/parent-process-pid-spoofing.asciidoc[]
 include::rule-details/peripheral-device-discovery.asciidoc[]
@@ -361,10 +369,12 @@ include::rule-details/port-forwarding-rule-addition.asciidoc[]
 include::rule-details/possible-consent-grant-attack-via-azure-registered-application.asciidoc[]
 include::rule-details/possible-fin7-dga-command-and-control-behavior.asciidoc[]
 include::rule-details/possible-okta-dos-attack.asciidoc[]
+include::rule-details/potential-abuse-of-repeated-mfa-push-notifications.asciidoc[]
 include::rule-details/potential-admin-group-account-addition.asciidoc[]
 include::rule-details/potential-application-shimming-via-sdbinst.asciidoc[]
 include::rule-details/potential-command-and-control-via-internet-explorer.asciidoc[]
 include::rule-details/potential-cookies-theft-via-browser-debugging.asciidoc[]
+include::rule-details/potential-credential-access-via-dcsync.asciidoc[]
 include::rule-details/potential-credential-access-via-duplicatehandle-in-lsass.asciidoc[]
 include::rule-details/potential-credential-access-via-lsass-memory-dump.asciidoc[]
 include::rule-details/potential-credential-access-via-renamed-com-services-dll.asciidoc[]
@@ -376,6 +386,7 @@ include::rule-details/potential-dns-tunneling-via-nslookup.asciidoc[]
 include::rule-details/potential-disabling-of-selinux.asciidoc[]
 include::rule-details/potential-evasion-via-filter-manager.asciidoc[]
 include::rule-details/potential-hidden-local-user-account-creation.asciidoc[]
+include::rule-details/potential-java-jndi-exploitation-attempt.asciidoc[]
 include::rule-details/potential-kerberos-attack-via-bifrost.asciidoc[]
 include::rule-details/potential-lsa-authentication-package-abuse.asciidoc[]
 include::rule-details/potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc[]
@@ -394,7 +405,9 @@ include::rule-details/potential-printnightmare-file-modification.asciidoc[]
 include::rule-details/potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc[]
 include::rule-details/potential-privacy-control-bypass-via-tccdb-modification.asciidoc[]
 include::rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc[]
+include::rule-details/potential-privilege-escalation-via-pkexec.asciidoc[]
 include::rule-details/potential-privilege-escalation-via-sudoers-file-modification.asciidoc[]
+include::rule-details/potential-privileged-escalation-via-samaccountname-spoofing.asciidoc[]
 include::rule-details/potential-process-herpaderping-attempt.asciidoc[]
 include::rule-details/potential-process-injection-via-powershell.asciidoc[]
 include::rule-details/potential-protocol-tunneling-via-earthworm.asciidoc[]
@@ -403,12 +416,15 @@ include::rule-details/potential-remote-desktop-tunneling-detected.asciidoc[]
 include::rule-details/potential-reverse-shell-activity-via-terminal.asciidoc[]
 include::rule-details/potential-ssh-brute-force-detected.asciidoc[]
 include::rule-details/potential-secure-file-deletion-via-sdelete-utility.asciidoc[]
+include::rule-details/potential-shadow-credentials-added-to-ad-object.asciidoc[]
 include::rule-details/potential-sharprdp-behavior.asciidoc[]
 include::rule-details/potential-shell-via-web-server.asciidoc[]
 include::rule-details/potential-windows-error-manager-masquerading.asciidoc[]
+include::rule-details/powershell-kerberos-ticket-request.asciidoc[]
 include::rule-details/powershell-keylogging-script.asciidoc[]
 include::rule-details/powershell-minidump-script.asciidoc[]
 include::rule-details/powershell-psreflect-script.asciidoc[]
+include::rule-details/powershell-script-block-logging-disabled.asciidoc[]
 include::rule-details/powershell-suspicious-discovery-related-windows-api-functions.asciidoc[]
 include::rule-details/powershell-suspicious-payload-encoded-and-compressed.asciidoc[]
 include::rule-details/powershell-suspicious-script-with-audio-capture-capabilities.asciidoc[]
@@ -463,9 +479,11 @@ include::rule-details/searching-for-saved-credentials-via-vaultcmd.asciidoc[]
 include::rule-details/security-software-discovery-using-wmic.asciidoc[]
 include::rule-details/security-software-discovery-via-grep.asciidoc[]
 include::rule-details/sensitive-files-compression.asciidoc[]
+include::rule-details/sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc[]
 include::rule-details/service-command-lateral-movement.asciidoc[]
 include::rule-details/service-control-spawned-via-script-interpreter.asciidoc[]
 include::rule-details/setuid-setgid-bit-set-via-chmod.asciidoc[]
+include::rule-details/sharepoint-malware-file-upload.asciidoc[]
 include::rule-details/shell-execution-via-apple-scripting.asciidoc[]
 include::rule-details/shortcut-file-written-or-modified-for-persistence.asciidoc[]
 include::rule-details/softwareupdate-preferences-modification.asciidoc[]
@@ -631,5 +649,6 @@ include::rule-details/windows-firewall-disabled-via-powershell.asciidoc[]
 include::rule-details/windows-network-enumeration.asciidoc[]
 include::rule-details/windows-script-executing-powershell.asciidoc[]
 include::rule-details/windows-script-interpreter-executing-process-via-wmi.asciidoc[]
+include::rule-details/windows-service-installed-via-an-unusual-client.asciidoc[]
 include::rule-details/zoom-meeting-with-no-passcode.asciidoc[]
 include::rule-details/macos-installer-spawns-network-event.asciidoc[]

docs/detections/prebuilt-rules/rule-desc-index.asciidoc

@@ -33,11 +33,11 @@ Specially crafted DNS requests can manipulate a known overflow vulnerability in
 * Threat Detection
 * Lateral Movement
 
-*Version*: 5 (<<abnormally-large-dns-response-history, version history>>)
+*Version*: 6 (<<abnormally-large-dns-response-history, version history>>)
 
 *Added ({stack} release)*: 7.10.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.1.0
 
 *Rule authors*: Elastic
 
@@ -63,16 +63,16 @@ also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vu
 - This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate
 the source of the incoming traffic and determine if this activity has been observed previously within an environment.
 - Activity can be further investigated and validated by reviewing available corresponding Intrusion Detection Signatures (IDS) alerts associated with activity.
-- Further examination can be made by reviewing the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
+- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
 - Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.
 - Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.
 
 #### False Positive Analysis
 - Based on this rule which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes
 and related to legitimate behavior.  In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses
 were all observed as greater than 65k bytes.
-- This activity has the ability to be triggered from compliance/vulnerability scanning or compromise assessment, it's
-important to determine the source of the activity and potential whitelist the source host
+- This activity can be triggered by compliance/vulnerability scanning or compromise assessment, it's
+important to determine the source of the activity and potentially allowlist the source host.
 
 
 ### Related Rules
@@ -86,7 +86,7 @@ patched machines. If unable to patch immediately: Microsoft [released](https://s
 restart. This can be used as a temporary solution before the patch is applied.
 - Maintain backups of your critical systems to aid in quick recovery.
 - Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.
-- If observed true positive activity, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.
+- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.
 
 ----------------------------------
 
@@ -117,6 +117,9 @@ and network.bytes > 60000
 [[abnormally-large-dns-response-history]]
 ==== Rule version history
 
+Version 6 (8.1.0 release)::
+* Formatting only
+
 Version 5 (7.16.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/abnormally-large-dns-response.asciidoc

@@ -34,10 +34,12 @@ Identifies an attempt to reset an account password remotely. Adversaries may man
 * Threat Detection
 * Persistence
 
-*Version*: 1
+*Version*: 2 (<<account-password-reset-remotely-history, version history>>)
 
 *Added ({stack} release)*: 8.0.0
 
+*Last modified ({stack} release)*: 8.1.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License v2
@@ -54,9 +56,9 @@ Legitimate remote account administration.
 sequence by host.id with maxspan=5m [authentication where
 event.action == "logged-in" and /* event 4624 need to be logged */
 winlog.logon.type : "Network" and event.outcome == "success" and
-source.ip != null and not source.ip in ("127.0.0.1", "::1")] by
-winlog.event_data.TargetLogonId /* event 4724 need to be logged */
-[iam where event.action == "reset-password"] by
+source.ip != null and source.ip != "127.0.0.1" and source.ip !=
+"::1"] by winlog.event_data.TargetLogonId /* event 4724 need to be
+logged */ [iam where event.action == "reset-password"] by
 winlog.event_data.SubjectLogonId
 ----------------------------------
 
@@ -72,3 +74,21 @@ winlog.event_data.SubjectLogonId
 ** Name: Account Manipulation
 ** ID: T1098
 ** Reference URL: https://attack.mitre.org/techniques/T1098/
+
+[[account-password-reset-remotely-history]]
+==== Rule version history
+
+Version 2 (8.1.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+sequence by host.id with maxspan=5m [authentication where
+event.action == "logged-in" and /* event 4624 need to be logged */
+winlog.logon.type : "Network" and event.outcome == "success" and
+source.ip != null and not source.ip in ("127.0.0.1", "::1")] by
+winlog.event_data.TargetLogonId /* event 4724 need to be logged */
+[iam where event.action == "reset-password"] by
+winlog.event_data.SubjectLogonId
+----------------------------------
+

docs/detections/prebuilt-rules/rule-details/account-password-reset-remotely.asciidoc

@@ -38,11 +38,11 @@ This rule detects the Active Directory query tool, AdFind.exe. AdFind has legiti
 * Threat Detection
 * Discovery
 
-*Version*: 5 (<<adfind-command-activity-history, version history>>)
+*Version*: 6 (<<adfind-command-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.1.0
 
 *Rule authors*: Elastic
 
@@ -58,7 +58,7 @@ This rule detects the Active Directory query tool, AdFind.exe. AdFind has legiti
 ### Investigating AdFind Command Activity
 
 [AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from
-Activity Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways
+Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways
 they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and
 understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/)
 observed where this tool has been adopted by ransomware and criminal groups and used in compromises.
@@ -69,11 +69,11 @@ the source of the activity.  This could involve identifying the account using `A
 what information was retrieved, then further determining if these actions are in scope of that user's traditional responsibilities.
 - In multiple public references, `AdFind` is leveraged after initial access is achieved, review previous activity on impacted
 machine looking for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic
-to suspicious infrastructure
+to suspicious infrastructure.
 
 ### False Positive Analysis
 - This rule has the high chance to produce false positives as it is a legitimate tool used by network administrators. One
-option could be whitelisting specific users or groups who use the tool as part of their daily responsibilities. This can
+option could be allowlisting specific users or groups who use the tool as part of their daily responsibilities. This can
 be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment
 - Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in
 isolation, so reviewing previous logs/activity from impacted machines could be very telling.
@@ -84,7 +84,7 @@ isolation, so reviewing previous logs/activity from impacted machines could be v
 - Enumeration Command Spawned via WMIPrvSE
 
 ### Response and Remediation
-- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+- take immediate action to validate activity, investigate and potentially isolate activity to prevent further
 post-compromise behavior
 - It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate
 purposes, so understanding the intent behind the activity will help determine the appropropriate response.
@@ -127,6 +127,9 @@ process where event.type in ("start", "process_started") and
 [[adfind-command-activity-history]]
 ==== Rule version history
 
+Version 6 (8.1.0 release)::
+* Formatting only
+
 Version 5 (7.16.0 release)::
 * Formatting only