diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-kernel-module-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-kernel-module-activity.asciidoc new file mode 100644 index 0000000000..eec45a51a1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-kernel-module-activity.asciidoc @@ -0,0 +1,52 @@ +[[prebuilt-rule-0-14-1-anomalous-kernel-module-activity]] +=== Anomalous Kernel Module Activity + +Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* ML + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-linux-compiler-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-linux-compiler-activity.asciidoc new file mode 100644 index 0000000000..97b3e70514 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-linux-compiler-activity.asciidoc @@ -0,0 +1,37 @@ +[[prebuilt-rule-0-14-1-anomalous-linux-compiler-activity]] +=== Anomalous Linux Compiler Activity + +Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* ML + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-process-for-a-linux-population.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-process-for-a-linux-population.asciidoc new file mode 100644 index 0000000000..4f7da7f827 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-process-for-a-linux-population.asciidoc @@ -0,0 +1,53 @@ +[[prebuilt-rule-0-14-1-anomalous-process-for-a-linux-population]] +=== Anomalous Process For a Linux Population + +Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* ML + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating an Unusual Linux Process +Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? +- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-process-for-a-windows-population.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-process-for-a-windows-population.asciidoc new file mode 100644 index 0000000000..94b04934c7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-process-for-a-windows-population.asciidoc @@ -0,0 +1,56 @@ +[[prebuilt-rule-0-14-1-anomalous-process-for-a-windows-population]] +=== Anomalous Process For a Windows Population + +Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* ML + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating an Unusual Windows Process +Detection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? +- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. +- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. +- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. +- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc new file mode 100644 index 0000000000..5ce1262635 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-application-added-to-google-workspace-domain]] +=== Application Added to Google Workspace Domain + +Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/6328701?hl=en# + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-ec2-full-network-packet-capture-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-ec2-full-network-packet-capture-detected.asciidoc new file mode 100644 index 0000000000..6439148434 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-ec2-full-network-packet-capture-detected.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-0-14-1-aws-ec2-full-network-packet-capture-detected]] +=== AWS EC2 Full Network Packet Capture Detected + +Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html +* https://github.com/easttimor/aws-incident-response + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 2 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and +event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Automated Exfiltration +** ID: T1020 +** Reference URL: https://attack.mitre.org/techniques/T1020/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data Staged +** ID: T1074 +** Reference URL: https://attack.mitre.org/techniques/T1074/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-rds-security-group-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-rds-security-group-creation.asciidoc new file mode 100644 index 0000000000..f09ff23026 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-rds-security-group-creation.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-0-14-1-aws-rds-security-group-creation]] +=== AWS RDS Security Group Creation + +Identifies the creation of an Amazon Relational Database Service (RDS) Security group. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 2 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Cloud Account +** ID: T1136.003 +** Reference URL: https://attack.mitre.org/techniques/T1136/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-rds-security-group-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-rds-security-group-deletion.asciidoc new file mode 100644 index 0000000000..c9ff0d4cf0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-rds-security-group-deletion.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-0-14-1-aws-rds-security-group-deletion]] +=== AWS RDS Security Group Deletion + +Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 2 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Account Access Removal +** ID: T1531 +** Reference URL: https://attack.mitre.org/techniques/T1531/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-security-group-configuration-change-detection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-security-group-configuration-change-detection.asciidoc new file mode 100644 index 0000000000..c46c22f2c4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-security-group-configuration-change-detection.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-0-14-1-aws-security-group-configuration-change-detection]] +=== AWS Security Group Configuration Change Detection + +Identifies a change to an AWS Security Group Configuration. A security group is like a virtul firewall and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in a AWS environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 1 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or +CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or +RevokeSecurityGroupIngress) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-azure-active-directory-high-risk-sign-in.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-azure-active-directory-high-risk-sign-in.asciidoc new file mode 100644 index 0000000000..2b258bf65d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-azure-active-directory-high-risk-sign-in.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-0-14-1-azure-active-directory-high-risk-sign-in]] +=== Azure Active Directory High Risk Sign-in + +Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk +* https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection +* https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 3 + +*Rule authors*: + +* Elastic +* Willem D'Haese + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.signinlogs and + (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and + event.outcome:(success or Success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-bash-shell-profile-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-bash-shell-profile-modification.asciidoc new file mode 100644 index 0000000000..51d78690fe --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-bash-shell-profile-modification.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-0-14-1-bash-shell-profile-modification]] +=== Bash Shell Profile Modification + +Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat + +*Tags*: + +* Elastic +* Host +* macOS +* Linux +* Threat Detection +* Persistence + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and event.type:change and + process.name:(* and not (sudo or + vim or + zsh or + env or + nano or + bash or + Terminal or + xpcproxy or + login or + cat or + cp or + launchctl or + java)) and + not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and + file.path:(/private/etc/rc.local or + /etc/rc.local or + /home/*/.profile or + /home/*/.profile1 or + /home/*/.bash_profile or + /home/*/.bash_profile1 or + /home/*/.bashrc or + /Users/*/.bash_profile or + /Users/*/.zshenv) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Unix Shell Configuration Modification +** ID: T1546.004 +** Reference URL: https://attack.mitre.org/techniques/T1546/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-bypass-uac-via-event-viewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-bypass-uac-via-event-viewer.asciidoc new file mode 100644 index 0000000000..ef745ff4dc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-bypass-uac-via-event-viewer.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-bypass-uac-via-event-viewer]] +=== Bypass UAC via Event Viewer + +Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "eventvwr.exe" and + not process.executable : + ("?:\\Windows\\SysWOW64\\mmc.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\System32\\WerFault.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-default-cobalt-strike-team-server-certificate.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-default-cobalt-strike-team-server-certificate.asciidoc new file mode 100644 index 0000000000..667245a995 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-default-cobalt-strike-team-server-certificate.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-0-14-1-default-cobalt-strike-team-server-certificate]] +=== Default Cobalt Strike Team Server Certificate + +This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/software/S0154/ +* https://www.cobaltstrike.com/help-setup-collaboration +* https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html +* https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html +* https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html + +*Tags*: + +* Command and Control +* Post-Execution +* Threat Detection +* Elastic +* Network +* Host + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Threat intel + +While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or + tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or + tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: Web Protocols +** ID: T1071.001 +** Reference URL: https://attack.mitre.org/techniques/T1071/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-disabling-user-account-control-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-disabling-user-account-control-via-registry-modification.asciidoc new file mode 100644 index 0000000000..6f2019cae7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-disabling-user-account-control-via-registry-modification.asciidoc @@ -0,0 +1,88 @@ +[[prebuilt-rule-0-14-1-disabling-user-account-control-via-registry-modification]] +=== Disabling User Account Control via Registry Modification + +User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.greyhathacker.net/?p=796 +* https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings +* https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type == "change" and + registry.path : + ( + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop" + ) and + registry.data.strings : "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-dns-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-dns-activity-to-the-internet.asciidoc new file mode 100644 index 0000000000..ecaca1da8c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-dns-activity-to-the-internet.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-0-14-1-dns-activity-to-the-internet]] +=== DNS Activity to the Internet + +This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS and it opens your network to a variety of abuses and malicious communications. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.us-cert.gov/ncas/alerts/TA15-240A +* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Network +* Threat Detection +* Command and Control +* Host + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) + and source.ip:( + 10.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16 + ) and + not destination.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.2.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.168.0.0/16 or + 192.88.99.0/24 or + 224.0.0.0/4 or + 100.64.0.0/10 or + 192.175.48.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc new file mode 100644 index 0000000000..4bc2e036d4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains]] +=== Domain Added to Google Workspace Trusted Domains + +Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/6160020?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-execution-of-file-written-or-modified-by-microsoft-office.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-execution-of-file-written-or-modified-by-microsoft-office.asciidoc new file mode 100644 index 0000000000..3407e83185 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-execution-of-file-written-or-modified-by-microsoft-office.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-0-14-1-execution-of-file-written-or-modified-by-microsoft-office]] +=== Execution of File Written or Modified by Microsoft Office + +Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 21 + +*Runs every*: 60m + +*Searches indices from*: now-120m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=2h + [file where event.type != "deletion" and file.extension : "exe" and + (process.name : "WINWORD.EXE" or + process.name : "EXCEL.EXE" or + process.name : "OUTLOOK.EXE" or + process.name : "POWERPNT.EXE" or + process.name : "eqnedt32.exe" or + process.name : "fltldr.exe" or + process.name : "MSPUB.EXE" or + process.name : "MSACCESS.EXE") + ] by host.id, file.path + [process where event.type in ("start", "process_started")] by host.id, process.executable + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-exporting-exchange-mailbox-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-exporting-exchange-mailbox-via-powershell.asciidoc new file mode 100644 index 0000000000..25a1b20883 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-exporting-exchange-mailbox-via-powershell.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-1-exporting-exchange-mailbox-via-powershell]] +=== Exporting Exchange Mailbox via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Collection + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name: ("powershell.exe", "pwsh.exe") and process.args : "New-MailboxExportRequest*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-external-ip-lookup-from-non-browser-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-external-ip-lookup-from-non-browser-process.asciidoc new file mode 100644 index 0000000000..b9f13e0e45 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-external-ip-lookup-from-non-browser-process.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-0-14-1-external-ip-lookup-from-non-browser-process]] +=== External IP Lookup from Non-Browser Process + +Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation +* https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +network where network.protocol == "dns" and + process.name != null and user.id not in ("S-1-5-19", "S-1-5-20") and + event.action == "lookup_requested" and + /* Add new external IP lookup services here */ + dns.question.name : + ( + "*api.ipify.org", + "*freegeoip.app", + "*checkip.amazonaws.com", + "*checkip.dyndns.org", + "*freegeoip.app", + "*icanhazip.com", + "*ifconfig.*", + "*ipecho.net", + "*ipgeoapi.com", + "*ipinfo.io", + "*ip.anysrc.net", + "*myexternalip.com", + "*myipaddress.com", + "*showipaddress.com", + "*whatismyipaddress.com", + "*wtfismyip.com", + "*ipapi.co", + "*ip-lookup.net", + "*ipstack.com" + ) and + /* Insert noisy false positives here */ + not process.executable : + ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\WWAHost.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Network Configuration Discovery +** ID: T1016 +** Reference URL: https://attack.mitre.org/techniques/T1016/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-finder-sync-plugin-registered-and-enabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-finder-sync-plugin-registered-and-enabled.asciidoc new file mode 100644 index 0000000000..163085b650 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-finder-sync-plugin-registered-and-enabled.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-0-14-1-finder-sync-plugin-registered-and-enabled]] +=== Finder Sync Plugin Registered and Enabled + +Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, user.id with maxspan = 5s + [process where event.type in ("start", "process_started") and process.name : "pluginkit" and process.args : "-a"] + [process where event.type in ("start", "process_started") and process.name : "pluginkit" and + process.args : "-e" and process.args : "use" and process.args : "-i" and + not process.args : + ( + "com.google.GoogleDrive.FinderSyncAPIExtension", + "com.google.drivefs.findersync", + "com.boxcryptor.osx.Rednif", + "com.adobe.accmac.ACCFinderSync", + "com.microsoft.OneDrive.FinderSync", + "com.insynchq.Insync.Insync-Finder-Integration", + "com.box.desktop.findersyncext" + ) + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc new file mode 100644 index 0000000000..dae91a22fb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user]] +=== Google Workspace Admin Role Assigned to a User + +Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target’s environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/172176?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc new file mode 100644 index 0000000000..9009ffe597 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-google-workspace-admin-role-deletion]] +=== Google Workspace Admin Role Deletion + +Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/2406043?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc new file mode 100644 index 0000000000..52e4532439 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority]] +=== Google Workspace API Access Granted via Domain-Wide Delegation of Authority + +Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developers.google.com/admin-sdk/directory/v1/guides/delegation + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc new file mode 100644 index 0000000000..7431439452 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created]] +=== Google Workspace Custom Admin Role Created + +Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/2406043?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc new file mode 100644 index 0000000000..f14ea0f2b8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled]] +=== Google Workspace MFA Enforcement Disabled + +Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/9176657?hl=en# + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc new file mode 100644 index 0000000000..5ccdcb0f3b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-0-14-1-google-workspace-password-policy-modified]] +=== Google Workspace Password Policy Modified + +Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and + event.provider:admin and event.category:iam and + event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and + gsuite.admin.setting.name:( + "Password Management - Enforce strong password" or + "Password Management - Password reset frequency" or + "Password Management - Enable password reuse" or + "Password Management - Enforce password policy at next login" or + "Password Management - Minimum password length" or + "Password Management - Maximum password length" + ) or + google_workspace.admin.setting.name:( + "Password Management - Enforce strong password" or + "Password Management - Password reset frequency" or + "Password Management - Enable password reuse" or + "Password Management - Enforce password policy at next login" or + "Password Management - Minimum password length" or + "Password Management - Maximum password length" + ) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc new file mode 100644 index 0000000000..55a1adce01 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-0-14-1-google-workspace-role-modified]] +=== Google Workspace Role Modified + +Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/2406043?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-macos-installer-spawns-network-event.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-macos-installer-spawns-network-event.asciidoc new file mode 100644 index 0000000000..4855e72d45 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-macos-installer-spawns-network-event.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-0-14-1-macos-installer-spawns-network-event]] +=== macOS Installer Spawns Network Event + +Identifies when the built in macOS Installer program generates a network event after attempting to install a .pkg file. This activity has been observed being leveraged by malware. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://redcanary.com/blog/clipping-silver-sparrows-wings +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Execution + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m + [process where event.type == "start" and host.os.family == "macos" and + process.parent.executable in ("/usr/sbin/installer", "/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer") ] + [network where not cidrmatch(destination.ip, + "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", + "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", + "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: Web Protocols +** ID: T1071.001 +** Reference URL: https://attack.mitre.org/techniques/T1071/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc new file mode 100644 index 0000000000..963fdc91d8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization]] +=== MFA Disabled for Google Workspace Organization + +Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-modification-of-amsienable-registry-key.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-modification-of-amsienable-registry-key.asciidoc new file mode 100644 index 0000000000..fa20adbda6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-modification-of-amsienable-registry-key.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-0-14-1-modification-of-amsienable-registry-key]] +=== Modification of AmsiEnable Registry Key + +JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify this key to disable AMSI protections. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf +* https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type in ("creation", "change") and + registry.path: "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" and + registry.data.strings: "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-modification-of-dynamic-linker-preload-shared-object.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-modification-of-dynamic-linker-preload-shared-object.asciidoc new file mode 100644 index 0000000000..7e3bfd96e6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-modification-of-dynamic-linker-preload-shared-object.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-0-14-1-modification-of-dynamic-linker-preload-shared-object]] +=== Modification of Dynamic Linker Preload Shared Object + +Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Privilege Escalation + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mshta-making-network-connections.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mshta-making-network-connections.asciidoc new file mode 100644 index 0000000000..6d10503ed8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mshta-making-network-connections.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-mshta-making-network-connections]] +=== Mshta Making Network Connections + +Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=10m + [process where event.type in ("start", "process_started") and process.name : "mshta.exe" and + not process.parent.name : "Microsoft.ConfigurationManagement.exe" and + not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or + process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and + not process.args : "ADSelfService_Enroll.hta"] + [network where process.name : "mshta.exe"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Signed Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-new-activesyncalloweddeviceid-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-new-activesyncalloweddeviceid-added-via-powershell.asciidoc new file mode 100644 index 0000000000..bc1e3842a0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-new-activesyncalloweddeviceid-added-via-powershell.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-1-new-activesyncalloweddeviceid-added-via-powershell]] +=== New ActiveSyncAllowedDeviceID Added via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Collection + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name: ("powershell.exe", "pwsh.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-ntds-or-sam-database-file-copied.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-ntds-or-sam-database-file-copied.asciidoc new file mode 100644 index 0000000000..652ebdf0a0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-ntds-or-sam-database-file-copied.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-0-14-1-ntds-or-sam-database-file-copied]] +=== NTDS or SAM Database File Copied + +Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ +* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 4 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ( + (process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and + process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") + ) or + (process.pe.original_file_name : "esentutl.exe" and process.args : ("*/y*", "*/vss*", "*/d*")) + ) and + process.args : ("*\\ntds.dit", "*\\config\\SAM", "\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-o365-excessive-single-sign-on-logon-errors.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-o365-excessive-single-sign-on-logon-errors.asciidoc new file mode 100644 index 0000000000..0d5291a1d0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-o365-excessive-single-sign-on-logon-errors.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-0-14-1-o365-excessive-single-sign-on-logon-errors]] +=== O365 Excessive Single Sign-On Logon Errors + +Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 2 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:web and o365.audit.LogonError:"SsoArtifactInvalidOrExpired" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-persistence-via-docker-shortcut-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-persistence-via-docker-shortcut-modification.asciidoc new file mode 100644 index 0000000000..109a742cd8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-persistence-via-docker-shortcut-modification.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-0-14-1-persistence-via-docker-shortcut-modification]] +=== Persistence via Docker Shortcut Modification + +An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category : file and event.action : modification and + file.path : /Users/*/Library/Preferences/com.apple.dock.plist and + not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-potential-privacy-control-bypass-via-tccdb-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-potential-privacy-control-bypass-via-tccdb-modification.asciidoc new file mode 100644 index 0000000000..18a5a8717b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-potential-privacy-control-bypass-via-tccdb-modification.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-1-potential-privacy-control-bypass-via-tccdb-modification]] +=== Potential Privacy Control Bypass via TCCDB Modification + +Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/ +* https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh +* https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Defense Evasion + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.name : "sqlite*" and + process.args : "/*/Application Support/com.apple.TCC/TCC.db" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rare-aws-error-code.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rare-aws-error-code.asciidoc new file mode 100644 index 0000000000..092c98610e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rare-aws-error-code.asciidoc @@ -0,0 +1,57 @@ +[[prebuilt-rule-0-14-1-rare-aws-error-code]] +=== Rare AWS Error Code + +A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* ML + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis + +Investigating Unusual CloudTrail Error Activity ### +Detection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation: +- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, only manifested recently, it might be related to recent changes in an automation module or script. +- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts. +- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rdp-remote-desktop-protocol-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rdp-remote-desktop-protocol-from-the-internet.asciidoc new file mode 100644 index 0000000000..a78e7dc7b9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rdp-remote-desktop-protocol-from-the-internet.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-0-14-1-rdp-remote-desktop-protocol-from-the-internet]] +=== RDP (Remote Desktop Protocol) from the Internet + +This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* Network +* Threat Detection +* Command and Control +* Host + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and + not source.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.2.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.168.0.0/16 or + 192.88.99.0/24 or + 224.0.0.0/4 or + 100.64.0.0/10 or + 192.175.48.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" + ) and + destination.ip:( + 10.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16 + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc new file mode 100644 index 0000000000..1bb2e71b07 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-0-14-1-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet]] +=== Roshal Archive (RAR) or PowerShell File Downloaded from the Internet + +Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs (tactics, techniques, and procedures). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html +* https://www.justice.gov/opa/press-release/file/1084361/download +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Network +* Threat Detection +* Command and Control +* Host + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Threat intel + +This activity has been observed in FIN7 campaigns. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and network.protocol:http and + (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and + not destination.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.2.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.168.0.0/16 or + 192.88.99.0/24 or + 224.0.0.0/4 or + 100.64.0.0/10 or + 192.175.48.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" + ) and + source.ip:( + 10.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16 + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rpc-remote-procedure-call-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rpc-remote-procedure-call-from-the-internet.asciidoc new file mode 100644 index 0000000000..dfe753e73e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rpc-remote-procedure-call-from-the-internet.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-0-14-1-rpc-remote-procedure-call-from-the-internet]] +=== RPC (Remote Procedure Call) from the Internet + +This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* Network +* Threat Detection +* Initial Access +* Host + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and + not source.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.2.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.168.0.0/16 or + 192.88.99.0/24 or + 224.0.0.0/4 or + 100.64.0.0/10 or + 192.175.48.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" + ) and + destination.ip:( + 10.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16 + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rpc-remote-procedure-call-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rpc-remote-procedure-call-to-the-internet.asciidoc new file mode 100644 index 0000000000..b4dd0c3283 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-rpc-remote-procedure-call-to-the-internet.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-0-14-1-rpc-remote-procedure-call-to-the-internet]] +=== RPC (Remote Procedure Call) to the Internet + +This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* Network +* Threat Detection +* Initial Access +* Host + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and + source.ip:( + 10.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16 + ) and + not destination.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.2.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.168.0.0/16 or + 192.88.99.0/24 or + 224.0.0.0/4 or + 100.64.0.0/10 or + 192.175.48.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-smb-windows-file-sharing-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-smb-windows-file-sharing-activity-to-the-internet.asciidoc new file mode 100644 index 0000000000..3d7a280007 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-smb-windows-file-sharing-activity-to-the-internet.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-0-14-1-smb-windows-file-sharing-activity-to-the-internet]] +=== SMB (Windows File Sharing) Activity to the Internet + +This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* Network +* Threat Detection +* Initial Access +* Host + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and + source.ip:( + 10.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16 + ) and + not destination.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.2.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.168.0.0/16 or + 192.88.99.0/24 or + 224.0.0.0/4 or + 100.64.0.0/10 or + 192.175.48.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Alternative Protocol +** ID: T1048 +** Reference URL: https://attack.mitre.org/techniques/T1048/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-spike-in-aws-error-messages.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-spike-in-aws-error-messages.asciidoc new file mode 100644 index 0000000000..1df248398b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-spike-in-aws-error-messages.asciidoc @@ -0,0 +1,57 @@ +[[prebuilt-rule-0-14-1-spike-in-aws-error-messages]] +=== Spike in AWS Error Messages + +A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* ML + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis + +### Investigating Spikes in CloudTrail Errors +Detection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation: +- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script. +- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts. +- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-spike-in-network-traffic.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-spike-in-network-traffic.asciidoc new file mode 100644 index 0000000000..1d552c4b41 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-spike-in-network-traffic.asciidoc @@ -0,0 +1,38 @@ +[[prebuilt-rule-0-14-1-spike-in-network-traffic]] +=== Spike in Network Traffic + +A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Network +* Threat Detection +* ML + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-suspicious-jar-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-suspicious-jar-child-process.asciidoc new file mode 100644 index 0000000000..161fdf6dee --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-suspicious-jar-child-process.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-suspicious-jar-child-process]] +=== Suspicious JAR Child Process + +Identifies suspicious child processes of a Java Archive (JAR) file. JAR files may be used to deliver malware in order to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* macOS +* Threat Detection +* Execution + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "java" and + process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget") and + process.args : "-jar" and process.args : "*.jar" and + /* Add any FP's here */ + not process.executable : ("/Users/*/.sdkman/*", "/Library/Java/JavaVirtualMachines/*") and + not process.args : ("/usr/local/*", "/Users/*/github.com/*", "/Users/*/src/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-suspicious-wmi-image-load-from-ms-office.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-suspicious-wmi-image-load-from-ms-office.asciidoc new file mode 100644 index 0000000000..57d20367c1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-suspicious-wmi-image-load-from-ms-office.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-0-14-1-suspicious-wmi-image-load-from-ms-office]] +=== Suspicious WMI Image Load from MS Office + +Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + event.action : "load" and + event.category : "library" and + dll.name : "wmiutils.dll" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-telnet-port-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-telnet-port-activity.asciidoc new file mode 100644 index 0000000000..e96b49b5b4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-telnet-port-activity.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-0-14-1-telnet-port-activity]] +=== Telnet Port Activity + +This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Network +* Threat Detection +* Command and Control +* Host + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and network.transport:tcp and destination.port:23 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc new file mode 100644 index 0000000000..459978b7b8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-0-14-1-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer]] +=== UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer + +Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and + process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding" + + /* uncomment once in winlogbeat */ + /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc new file mode 100644 index 0000000000..156b8e1944 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-uac-bypass-attempt-via-privileged-ifileoperation-com-interface]] +=== UAC Bypass Attempt via Privileged IFileOperation COM Interface + +Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/hfiref0x/UACME + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type : "change" and process.name : "dllhost.exe" and + /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */ + file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and + /* has no impact on rule logic just to avoid OS install related FPs */ + not file.path : ("C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\WinSxS\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc new file mode 100644 index 0000000000..ac98bb16eb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-0-14-1-uac-bypass-attempt-via-windows-directory-masquerading]] +=== UAC Bypass Attempt via Windows Directory Masquerading + +Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc new file mode 100644 index 0000000000..8c22dace00 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-0-14-1-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface]] +=== UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface + +Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/hfiref0x/UACME + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.name : "Clipup.exe" and + not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and + /* CLSID of the Elevated COM Interface IEditionUpgradeManager */ + process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc new file mode 100644 index 0000000000..76c609df78 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-1-uac-bypass-via-diskcleanup-scheduled-task-hijack]] +=== UAC Bypass via DiskCleanup Scheduled Task Hijack + +Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.args : "/autoclean" and process.args : "/d" and + not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe", + "C:\\Windows\\SysWOW64\\cleanmgr.exe", + "C:\\Windows\\System32\\taskhostw.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc new file mode 100644 index 0000000000..3075eba755 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-0-14-1-uac-bypass-via-icmluautil-elevated-com-interface]] +=== UAC Bypass via ICMLuaUtil Elevated COM Interface + +Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name == "dllhost.exe" and + process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and + process.pe.original_file_name != "WerFault.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc new file mode 100644 index 0000000000..e7196ec65a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-uac-bypass-via-windows-firewall-snap-in-hijack]] +=== UAC Bypass via Windows Firewall Snap-In Hijack + +Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/AzAgarampur/byeintegrity-uac + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name == "mmc.exe" and + /* process.Ext.token.integrity_level_name == "high" can be added in future for tuning */ + /* args of the Windows Firewall SnapIn */ + process.parent.args == "WF.msc" and process.name != "WerFault.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-aws-command-for-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-aws-command-for-a-user.asciidoc new file mode 100644 index 0000000000..b4ad81a8e9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-aws-command-for-a-user.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-0-14-1-unusual-aws-command-for-a-user]] +=== Unusual AWS Command for a User + +A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* ML + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis + +### Investigating an Unusual CloudTrail Event + +Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation: +- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day? +- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. +- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing. +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-city-for-an-aws-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-city-for-an-aws-command.asciidoc new file mode 100644 index 0000000000..002336b561 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-city-for-an-aws-command.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-0-14-1-unusual-city-for-an-aws-command]] +=== Unusual City For an AWS Command + +A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* ML + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis + +### Investigating an Unusual CloudTrail Event +Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation: +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day? +- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. +- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing. +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-country-for-an-aws-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-country-for-an-aws-command.asciidoc new file mode 100644 index 0000000000..33bb2c358a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-country-for-an-aws-command.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-0-14-1-unusual-country-for-an-aws-command]] +=== Unusual Country For an AWS Command + +A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* ML + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis + +### Investigating an Unusual CloudTrail Event +Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation: +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day? +- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. +- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing. +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-linux-network-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-linux-network-activity.asciidoc new file mode 100644 index 0000000000..a5c45ee52d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-linux-network-activity.asciidoc @@ -0,0 +1,55 @@ +[[prebuilt-rule-0-14-1-unusual-linux-network-activity]] +=== Unusual Linux Network Activity + +Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* ML + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Network Activity +Detection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation: +- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? +- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. +- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? +- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-linux-username.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-linux-username.asciidoc new file mode 100644 index 0000000000..d4e551f9ea --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-linux-username.asciidoc @@ -0,0 +1,53 @@ +[[prebuilt-rule-0-14-1-unusual-linux-username]] +=== Unusual Linux Username + +A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* ML + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating an Unusual Linux User +Detection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer? +- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing. +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-parent-child-relationship.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-parent-child-relationship.asciidoc new file mode 100644 index 0000000000..7dce37392f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-parent-child-relationship.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-0-14-1-unusual-parent-child-relationship]] +=== Unusual Parent-Child Relationship + +Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes%20TH.map.png +* https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and +process.parent.name != null and + ( + /* suspicious parent processes */ + (process.name:"autochk.exe" and not process.parent.name:"smss.exe") or + (process.name:("fontdrvhost.exe", "dwm.exe") and not process.parent.name:("wininit.exe", "winlogon.exe")) or + (process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and not process.parent.name:"svchost.exe") or + (process.name:"SearchIndexer.exe" and not process.parent.name:"services.exe") or + (process.name:"SearchProtocolHost.exe" and not process.parent.name:("SearchIndexer.exe", "dllhost.exe")) or + (process.name:"dllhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"smss.exe" and not process.parent.name:("System", "smss.exe")) or + (process.name:"csrss.exe" and not process.parent.name:("smss.exe", "svchost.exe")) or + (process.name:"wininit.exe" and not process.parent.name:"smss.exe") or + (process.name:"winlogon.exe" and not process.parent.name:"smss.exe") or + (process.name:("lsass.exe", "LsaIso.exe") and not process.parent.name:"wininit.exe") or + (process.name:"LogonUI.exe" and not process.parent.name:("wininit.exe", "winlogon.exe")) or + (process.name:"services.exe" and not process.parent.name:"wininit.exe") or + (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe")) or + (process.name:"spoolsv.exe" and not process.parent.name:"services.exe") or + (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe")) or + (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or + /* suspicious child processes */ + (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe")) or + (process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or + (process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe")) or + (process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or + (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-process-for-a-linux-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-process-for-a-linux-host.asciidoc new file mode 100644 index 0000000000..814eb7642a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-process-for-a-linux-host.asciidoc @@ -0,0 +1,53 @@ +[[prebuilt-rule-0-14-1-unusual-process-for-a-linux-host]] +=== Unusual Process For a Linux Host + +Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* ML + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating an Unusual Linux Process +Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? +- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-process-for-a-windows-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-process-for-a-windows-host.asciidoc new file mode 100644 index 0000000000..1f1460a274 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-process-for-a-windows-host.asciidoc @@ -0,0 +1,56 @@ +[[prebuilt-rule-0-14-1-unusual-process-for-a-windows-host]] +=== Unusual Process For a Windows Host + +Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* ML + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating an Unusual Windows Process +Detection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? +- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. +- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. +- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. +- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-windows-network-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-windows-network-activity.asciidoc new file mode 100644 index 0000000000..164b8f8fb4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-windows-network-activity.asciidoc @@ -0,0 +1,57 @@ +[[prebuilt-rule-0-14-1-unusual-windows-network-activity]] +=== Unusual Windows Network Activity + +Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* ML + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Network Activity +Detection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation: +- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? +- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. +- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? +- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. +- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-windows-username.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-windows-username.asciidoc new file mode 100644 index 0000000000..090987f9b5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-unusual-windows-username.asciidoc @@ -0,0 +1,54 @@ +[[prebuilt-rule-0-14-1-unusual-windows-username]] +=== Unusual Windows Username + +A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* ML + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating an Unusual Windows User +Detection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity? +- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-vnc-virtual-network-computing-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-vnc-virtual-network-computing-from-the-internet.asciidoc new file mode 100644 index 0000000000..8cc47d6e34 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-vnc-virtual-network-computing-from-the-internet.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-0-14-1-vnc-virtual-network-computing-from-the-internet]] +=== VNC (Virtual Network Computing) from the Internet + +This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* Network +* Threat Detection +* Command and Control +* Host + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and + not source.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.2.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.168.0.0/16 or + 192.88.99.0/24 or + 224.0.0.0/4 or + 100.64.0.0/10 or + 192.175.48.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" + ) and + destination.ip:( + 10.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16 + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Remote Access Software +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-vnc-virtual-network-computing-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-vnc-virtual-network-computing-to-the-internet.asciidoc new file mode 100644 index 0000000000..c9a150e016 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-vnc-virtual-network-computing-to-the-internet.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-0-14-1-vnc-virtual-network-computing-to-the-internet]] +=== VNC (Virtual Network Computing) to the Internet + +This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* Network +* Threat Detection +* Command and Control +* Host + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and + source.ip:( + 10.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16 + ) and + not destination.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.2.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.168.0.0/16 or + 192.88.99.0/24 or + 224.0.0.0/4 or + 100.64.0.0/10 or + 192.175.48.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Remote Access Software +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-web-application-suspicious-activity-post-request-declined.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-web-application-suspicious-activity-post-request-declined.asciidoc new file mode 100644 index 0000000000..a245905edc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-web-application-suspicious-activity-post-request-declined.asciidoc @@ -0,0 +1,48 @@ +[[prebuilt-rule-0-14-1-web-application-suspicious-activity-post-request-declined]] +=== Web Application Suspicious Activity: POST Request Declined + +A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed. + +*Rule type*: query + +*Rule indices*: + +* apm-*-transaction* +* traces-apm* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://en.wikipedia.org/wiki/HTTP_403 + +*Tags*: + +* Elastic +* APM + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +http.response.status_code:403 and http.request.method:post + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-web-application-suspicious-activity-unauthorized-method.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-web-application-suspicious-activity-unauthorized-method.asciidoc new file mode 100644 index 0000000000..b72c873dd0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-web-application-suspicious-activity-unauthorized-method.asciidoc @@ -0,0 +1,48 @@ +[[prebuilt-rule-0-14-1-web-application-suspicious-activity-unauthorized-method]] +=== Web Application Suspicious Activity: Unauthorized Method + +A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource. + +*Rule type*: query + +*Rule indices*: + +* apm-*-transaction* +* traces-apm* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://en.wikipedia.org/wiki/HTTP_405 + +*Tags*: + +* Elastic +* APM + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +http.response.status_code:405 + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-webshell-detection-script-process-child-of-common-web-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-webshell-detection-script-process-child-of-common-web-processes.asciidoc new file mode 100644 index 0000000000..76243b461c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-webshell-detection-script-process-child-of-common-web-processes.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-0-14-1-webshell-detection-script-process-child-of-common-web-processes]] +=== Webshell Detection: Script Process Child of Common Web Processes + +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Detections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and + process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "wmic.exe", "wscript.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-whitespace-padding-in-process-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-whitespace-padding-in-process-command-line.asciidoc new file mode 100644 index 0000000000..406ff85eab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-whitespace-padding-in-process-command-line.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-0-14-1-whitespace-padding-in-process-command-line]] +=== Whitespace Padding in Process Command Line + +Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/JohnLaTwC/status/1419251082736201737 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +- Analyze the command line of the process in question for evidence of malicious code execution. +- Review the ancestry and child processes spawned by the process in question for indicators of further malicious code execution. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.command_line regex ".*[ ]{20,}.*" or + + /* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */ + process.command_line regex ".*(.*[ ]{5,}[^ ]*){3,}.*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-windows-defender-disabled-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-windows-defender-disabled-via-registry-modification.asciidoc new file mode 100644 index 0000000000..5f069a0e62 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-windows-defender-disabled-via-registry-modification.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-0-14-1-windows-defender-disabled-via-registry-modification]] +=== Windows Defender Disabled via Registry Modification + +Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2020/12/13/defender-control/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type in ("creation", "change") and + ((registry.path:"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" and + registry.data.strings:"1") or + (registry.path:"HKLM\\System\\ControlSet*\\Services\\WinDefend\\Start" and + registry.data.strings in ("3", "4"))) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-windows-defender-exclusions-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-windows-defender-exclusions-added-via-powershell.asciidoc new file mode 100644 index 0000000000..08c5578880 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-windows-defender-exclusions-added-via-powershell.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-0-14-1-windows-defender-exclusions-added-via-powershell]] +=== Windows Defender Exclusions Added via PowerShell + +Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Detections should be investigated to identify if the activity corresponds to legitimate activity used to put in exceptions for Windows Defender. As this rule detects post-exploitation process activity, investigations into this should be prioritized. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe") or process.pe.original_file_name : ("powershell.exe", "pwsh.exe")) and + process.args : ("*Add-MpPreference*-Exclusion*", "*Set-MpPreference*-Exclusion*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-windows-network-enumeration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-windows-network-enumeration.asciidoc new file mode 100644 index 0000000000..af2b33e6a5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-windows-network-enumeration.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-0-14-1-windows-network-enumeration]] +=== Windows Network Enumeration + +Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or + ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and + not process.parent.name : "net.exe")) and + (process.args : "view" or (process.args : "time" and process.args : "\\\\*")) + + + /* expand when ancestry is available + and not descendant of [process where event.type == ("start", "process_started") and process.name : "cmd.exe" and + ((process.parent.name : "userinit.exe") or + (process.parent.name : "gpscript.exe") or + (process.parent.name : "explorer.exe" and + process.args : "C:\\*\\Start Menu\\Programs\\Startup\\*.bat*"))] + */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Network Share Discovery +** ID: T1135 +** Reference URL: https://attack.mitre.org/techniques/T1135/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rules-0-14-1-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rules-0-14-1-appendix.asciidoc new file mode 100644 index 0000000000..02986b759b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rules-0-14-1-appendix.asciidoc @@ -0,0 +1,80 @@ +["appendix",role="exclude",id="prebuilt-rule-0-14-1-prebuilt-rules-0-14-1-appendix"] += Downloadable rule update v0.14.1 + +This section lists all updates associated with version 0.14.1 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-0-14-1-aws-security-group-configuration-change-detection.asciidoc[] +include::prebuilt-rule-0-14-1-whitespace-padding-in-process-command-line.asciidoc[] +include::prebuilt-rule-0-14-1-webshell-detection-script-process-child-of-common-web-processes.asciidoc[] +include::prebuilt-rule-0-14-1-web-application-suspicious-activity-post-request-declined.asciidoc[] +include::prebuilt-rule-0-14-1-web-application-suspicious-activity-unauthorized-method.asciidoc[] +include::prebuilt-rule-0-14-1-suspicious-jar-child-process.asciidoc[] +include::prebuilt-rule-0-14-1-bash-shell-profile-modification.asciidoc[] +include::prebuilt-rule-0-14-1-aws-ec2-full-network-packet-capture-detected.asciidoc[] +include::prebuilt-rule-0-14-1-aws-rds-security-group-deletion.asciidoc[] +include::prebuilt-rule-0-14-1-spike-in-aws-error-messages.asciidoc[] +include::prebuilt-rule-0-14-1-rare-aws-error-code.asciidoc[] +include::prebuilt-rule-0-14-1-unusual-city-for-an-aws-command.asciidoc[] +include::prebuilt-rule-0-14-1-unusual-country-for-an-aws-command.asciidoc[] +include::prebuilt-rule-0-14-1-unusual-aws-command-for-a-user.asciidoc[] +include::prebuilt-rule-0-14-1-aws-rds-security-group-creation.asciidoc[] +include::prebuilt-rule-0-14-1-azure-active-directory-high-risk-sign-in.asciidoc[] +include::prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc[] +include::prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc[] +include::prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc[] +include::prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc[] +include::prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc[] +include::prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc[] +include::prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc[] +include::prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc[] +include::prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc[] +include::prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc[] +include::prebuilt-rule-0-14-1-o365-excessive-single-sign-on-logon-errors.asciidoc[] +include::prebuilt-rule-0-14-1-modification-of-dynamic-linker-preload-shared-object.asciidoc[] +include::prebuilt-rule-0-14-1-potential-privacy-control-bypass-via-tccdb-modification.asciidoc[] +include::prebuilt-rule-0-14-1-macos-installer-spawns-network-event.asciidoc[] +include::prebuilt-rule-0-14-1-persistence-via-docker-shortcut-modification.asciidoc[] +include::prebuilt-rule-0-14-1-finder-sync-plugin-registered-and-enabled.asciidoc[] +include::prebuilt-rule-0-14-1-spike-in-network-traffic.asciidoc[] +include::prebuilt-rule-0-14-1-anomalous-linux-compiler-activity.asciidoc[] +include::prebuilt-rule-0-14-1-anomalous-kernel-module-activity.asciidoc[] +include::prebuilt-rule-0-14-1-unusual-linux-network-activity.asciidoc[] +include::prebuilt-rule-0-14-1-anomalous-process-for-a-linux-population.asciidoc[] +include::prebuilt-rule-0-14-1-unusual-linux-username.asciidoc[] +include::prebuilt-rule-0-14-1-unusual-process-for-a-linux-host.asciidoc[] +include::prebuilt-rule-0-14-1-unusual-process-for-a-windows-host.asciidoc[] +include::prebuilt-rule-0-14-1-unusual-windows-network-activity.asciidoc[] +include::prebuilt-rule-0-14-1-anomalous-process-for-a-windows-population.asciidoc[] +include::prebuilt-rule-0-14-1-unusual-windows-username.asciidoc[] +include::prebuilt-rule-0-14-1-default-cobalt-strike-team-server-certificate.asciidoc[] +include::prebuilt-rule-0-14-1-dns-activity-to-the-internet.asciidoc[] +include::prebuilt-rule-0-14-1-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc[] +include::prebuilt-rule-0-14-1-rdp-remote-desktop-protocol-from-the-internet.asciidoc[] +include::prebuilt-rule-0-14-1-telnet-port-activity.asciidoc[] +include::prebuilt-rule-0-14-1-vnc-virtual-network-computing-from-the-internet.asciidoc[] +include::prebuilt-rule-0-14-1-vnc-virtual-network-computing-to-the-internet.asciidoc[] +include::prebuilt-rule-0-14-1-rpc-remote-procedure-call-from-the-internet.asciidoc[] +include::prebuilt-rule-0-14-1-rpc-remote-procedure-call-to-the-internet.asciidoc[] +include::prebuilt-rule-0-14-1-smb-windows-file-sharing-activity-to-the-internet.asciidoc[] +include::prebuilt-rule-0-14-1-exporting-exchange-mailbox-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-1-new-activesyncalloweddeviceid-added-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-1-ntds-or-sam-database-file-copied.asciidoc[] +include::prebuilt-rule-0-14-1-modification-of-amsienable-registry-key.asciidoc[] +include::prebuilt-rule-0-14-1-windows-defender-disabled-via-registry-modification.asciidoc[] +include::prebuilt-rule-0-14-1-windows-defender-exclusions-added-via-powershell.asciidoc[] +include::prebuilt-rule-0-14-1-mshta-making-network-connections.asciidoc[] +include::prebuilt-rule-0-14-1-windows-network-enumeration.asciidoc[] +include::prebuilt-rule-0-14-1-external-ip-lookup-from-non-browser-process.asciidoc[] +include::prebuilt-rule-0-14-1-execution-of-file-written-or-modified-by-microsoft-office.asciidoc[] +include::prebuilt-rule-0-14-1-suspicious-wmi-image-load-from-ms-office.asciidoc[] +include::prebuilt-rule-0-14-1-disabling-user-account-control-via-registry-modification.asciidoc[] +include::prebuilt-rule-0-14-1-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc[] +include::prebuilt-rule-0-14-1-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc[] +include::prebuilt-rule-0-14-1-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc[] +include::prebuilt-rule-0-14-1-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc[] +include::prebuilt-rule-0-14-1-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc[] +include::prebuilt-rule-0-14-1-bypass-uac-via-event-viewer.asciidoc[] +include::prebuilt-rule-0-14-1-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc[] +include::prebuilt-rule-0-14-1-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc[] +include::prebuilt-rule-0-14-1-unusual-parent-child-relationship.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rules-0-14-1-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rules-0-14-1-summary.asciidoc new file mode 100644 index 0000000000..cadb946ad6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rules-0-14-1-summary.asciidoc @@ -0,0 +1,160 @@ +[[prebuilt-rule-0-14-1-prebuilt-rules-0-14-1-summary]] +[role="xpack"] +== Update v0.14.1 + +This section lists all updates associated with version 0.14.1 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Identifies a change to an AWS Security Group Configuration. A security group is like a virtul firewall and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in a AWS environment. | new | 1 + +|<> | Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior. | new | 1 + +|<> | Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. | new | 1 + +|<> | A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed. | update | 8 + +|<> | A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource. | update | 8 + +|<> | Identifies suspicious child processes of a Java Archive (JAR) file. JAR files may be used to deliver malware in order to evade detection. | update | 2 + +|<> | Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell. | update | 2 + +|<> | Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. | update | 2 + +|<> | Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. | update | 2 + +|<> | A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery. | update | 6 + +|<> | A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. | update | 6 + +|<> | A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). | update | 6 + +|<> | A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). | update | 6 + +|<> | A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data. | update | 6 + +|<> | Identifies the creation of an Amazon Relational Database Service (RDS) Security group. | update | 2 + +|<> | Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised. | update | 3 + +|<> | Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data. | update | 5 + +|<> | Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls. | update | 5 + +|<> | Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators. | update | 5 + +|<> | Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls. | update | 6 + +|<> | Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. | update | 6 + +|<> | Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. | update | 6 + +|<> | Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target’s environment. | update | 5 + +|<> | Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. | update | 5 + +|<> | Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. | update | 5 + +|<> | Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. | update | 5 + +|<> | Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token. | update | 2 + +|<> | Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries. | update | 2 + +|<> | Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar. | update | 2 + +|<> | Identifies when the built in macOS Installer program generates a network event after attempting to install a .pkg file. This activity has been observed being leveraged by malware. | update | 3 + +|<> | An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked. | update | 2 + +|<> | Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. | update | 2 + +|<> | A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic. | update | 3 + +|<> | Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity. | update | 3 + +|<> | Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth. | update | 4 + +|<> | Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications. | update | 6 + +|<> | Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet. | update | 7 + +|<> | A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another. | update | 7 + +|<> | Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host. | update | 7 + +|<> | Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host. | update | 7 + +|<> | Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications. | update | 7 + +|<> | Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet. | update | 7 + +|<> | A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another. | update | 7 + +|<> | This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration. | update | 6 + +|<> | This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS and it opens your network to a variety of abuses and malicious communications. | update | 11 + +|<> | Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs (tactics, techniques, and procedures). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control. | update | 7 + +|<> | This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. | update | 11 + +|<> | This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. | update | 9 + +|<> | This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. | update | 11 + +|<> | This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. | update | 11 + +|<> | This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. | update | 11 + +|<> | This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. | update | 11 + +|<> | This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration. | update | 11 + +|<> | Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. | update | 4 + +|<> | Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information. | update | 4 + +|<> | Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials. | update | 4 + +|<> | JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify this key to disable AMSI protections. | update | 2 + +|<> | Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually. | update | 3 + +|<> | Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level. | update | 2 + +|<> | Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection. | update | 5 + +|<> | Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. | update | 4 + +|<> | Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot. | update | 6 + +|<> | Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications. | update | 5 + +|<> | Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products. | update | 4 + +|<> | User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection. | update | 2 + +|<> | Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. | update | 4 + +|<> | Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. | update | 4 + +|<> | Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. | update | 4 + +|<> | Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions. | update | 6 + +|<> | Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. | update | 4 + +|<> | Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. | update | 9 + +|<> | Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. | update | 4 + +|<> | Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. | update | 4 + +|<> | Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. | update | 9 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index e6ba56a60d..7784e17f71 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -11,6 +11,10 @@ To download the latest updates, follow the instructions in <> | 08 Sep 2021 | 3 | 71 | +Included in this release is a rule to detect web shells, including +https://discuss.elastic.co/t/detection-and-response-for-proxyshell-activity/282407[ProxyShell] activity. + |<> | 22 Jul 2021 | 4 | 36 | Included in this release is a rule for Windows Defender Exclusions, which has been used in recent campaigns, as well as a rule to resiliently detect parent PID spoofing. @@ -29,3 +33,4 @@ https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527[PrintNightm include::downloadable-packages/0-13-1/prebuilt-rules-0-13-1-summary.asciidoc[leveloffset=+1] include::downloadable-packages/0-13-2/prebuilt-rules-0-13-2-summary.asciidoc[leveloffset=+1] include::downloadable-packages/0-13-3/prebuilt-rules-0-13-3-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/0-14-1/prebuilt-rules-0-14-1-summary.asciidoc[leveloffset=+1] diff --git a/docs/index.asciidoc b/docs/index.asciidoc index a7da2c124d..1ee98ebd34 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -54,3 +54,5 @@ include::detections/prebuilt-rules/downloadable-packages/0-13-1/prebuilt-rules-0 include::detections/prebuilt-rules/downloadable-packages/0-13-2/prebuilt-rules-0-13-2-appendix.asciidoc[] include::detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rules-0-13-3-appendix.asciidoc[] + +include::detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rules-0-14-1-appendix.asciidoc[]