diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-access-of-stored-browser-credentials.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-access-of-stored-browser-credentials.asciidoc new file mode 100644 index 0000000000..43edb2f4d2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-access-of-stored-browser-credentials.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-7-16-4-access-of-stored-browser-credentials]] +=== Access of Stored Browser Credentials + +Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Credential Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.args : + ( + "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", + "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", + "/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies", + "/Users/*/Library/Cookies*", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json", + "Login Data", + "Cookies.binarycookies", + "key4.db", + "key3.db", + "logins.json", + "cookies.sqlite" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-access-to-keychain-credentials-directories.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-access-to-keychain-credentials-directories.asciidoc new file mode 100644 index 0000000000..53e2ddc910 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-access-to-keychain-credentials-directories.asciidoc @@ -0,0 +1,104 @@ +[[prebuilt-rule-7-16-4-access-to-keychain-credentials-directories]] +=== Access to Keychain Credentials Directories + +Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x25.html +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Credential Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.args : + ( + "/Users/*/Library/Keychains/*", + "/Library/Keychains/*", + "/Network/Library/Keychains/*", + "System.keychain", + "login.keychain-db", + "login.keychain" + ) and + not process.args : ("find-certificate", + "add-trusted-cert", + "set-keychain-settings", + "delete-certificate", + "/Users/*/Library/Keychains/openvpn.keychain-db", + "show-keychain-info", + "lock-keychain", + "set-key-partition-list", + "import", + "find-identity") and + not process.parent.executable : + ( + "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect", + "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise", + "/opt/jc/bin/jumpcloud-agent" + ) and + not process.executable : "/opt/jc/bin/jumpcloud-agent" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-account-discovery-command-via-system-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-account-discovery-command-via-system-account.asciidoc new file mode 100644 index 0000000000..22805f7203 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-account-discovery-command-via-system-account.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-7-16-4-account-discovery-command-via-system-account]] +=== Account Discovery Command via SYSTEM Account + +Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 15 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Account Discovery Command via SYSTEM Account + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed +after attackers successfully perform privilege escalation or exploit web applications. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, + investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential + webshell backdoor. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system +shell using Windows services, scheduled tasks or other third party utilities. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). +- Use the data collected through the analysis to investigate other machines affected in the environment. + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (?process.Ext.token.integrity_level_name : "System" or + ?winlog.event_data.IntegrityLevel : "System") and + (process.name : "whoami.exe" or + (process.name : "net1.exe" and not process.parent.name : "net.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Owner/User Discovery +** ID: T1033 +** Reference URL: https://attack.mitre.org/techniques/T1033/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-account-password-reset-remotely.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-account-password-reset-remotely.asciidoc new file mode 100644 index 0000000000..76db6c3842 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-account-password-reset-remotely.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-account-password-reset-remotely]] +=== Account Password Reset Remotely + +Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724 +* https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5m + [authentication where event.action == "logged-in" and + /* event 4624 need to be logged */ + winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and + source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId + /* event 4724 need to be logged */ + [iam where event.action == "reset-password" and + ( + /* + This rule is very noisy if not scoped to privileged accounts, duplicate the + rule and add your own naming convention and accounts of interest here. + */ + winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*", "*DC0*", "*service*", "*DMZ*", "*ADM*") or + winlog.event_data.TargetSid : "S-1-5-21-*-500" + ) + ] by winlog.event_data.SubjectLogonId + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adding-hidden-file-attribute-via-attrib.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adding-hidden-file-attribute-via-attrib.asciidoc new file mode 100644 index 0000000000..702389438a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adding-hidden-file-attribute-via-attrib.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-adding-hidden-file-attribute-via-attrib]] +=== Adding Hidden File Attribute via Attrib + +Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 13 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : "attrib.exe" and process.args : "+h" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adfind-command-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adfind-command-activity.asciidoc new file mode 100644 index 0000000000..84af29dccc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adfind-command-activity.asciidoc @@ -0,0 +1,153 @@ +[[prebuilt-rule-7-16-4-adfind-command-activity]] +=== AdFind Command Activity + +This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://www.joeware.net/freetools/tools/adfind/ +* https://thedfirreport.com/2020/05/08/adfind-recon/ +* https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html +* https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware +* https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html +* https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AdFind Command Activity + +[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information +from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same +ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects +and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of +this tool being adopted by ransomware and criminal groups and used in compromises. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Examine the command line to determine what information was retrieved by the tool. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination +of user and command line conditions. +- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in +isolation, so reviewing previous logs/activity from impacted machines can be very telling. + +### Related rules + +- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1 +- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d +- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "AdFind.exe" or process.pe.original_file_name == "AdFind.exe") and + process.args : ("objectcategory=computer", "(objectcategory=computer)", + "objectcategory=person", "(objectcategory=person)", + "objectcategory=subnet", "(objectcategory=subnet)", + "objectcategory=group", "(objectcategory=group)", + "objectcategory=organizationalunit", "(objectcategory=organizationalunit)", + "objectcategory=attributeschema", "(objectcategory=attributeschema)", + "domainlist", "dcmodes", "adinfo", "dclist", "computers_pwnotreqd", "trustdmp") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Domain Groups +** ID: T1069.002 +** Reference URL: https://attack.mitre.org/techniques/T1069/002/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Domain Account +** ID: T1087.002 +** Reference URL: https://attack.mitre.org/techniques/T1087/002/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-administrator-privileges-assigned-to-an-okta-group.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-administrator-privileges-assigned-to-an-okta-group.asciidoc new file mode 100644 index 0000000000..a31f0f1b05 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-administrator-privileges-assigned-to-an-okta-group.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-administrator-privileges-assigned-to-an-okta-group]] +=== Administrator Privileges Assigned to an Okta Group + +Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:group.privilege.grant + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-administrator-role-assigned-to-an-okta-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-administrator-role-assigned-to-an-okta-user.asciidoc new file mode 100644 index 0000000000..2eb12e27dd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-administrator-role-assigned-to-an-okta-user.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-administrator-role-assigned-to-an-okta-user]] +=== Administrator Role Assigned to an Okta User + +Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Okta +* SecOps +* Monitoring +* Continuous Monitoring + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:user.account.privilege.grant + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adminsdholder-sdprop-exclusion-added.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adminsdholder-sdprop-exclusion-added.asciidoc new file mode 100644 index 0000000000..6042efe5fb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adminsdholder-sdprop-exclusion-added.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-7-16-4-adminsdholder-sdprop-exclusion-added]] +=== AdminSDHolder SDProp Exclusion Added + +Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad +* https://petri.com/active-directory-security-understanding-adminsdholder-object + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence +* Active Directory + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AdminSDHolder SDProp Exclusion Added + +The SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the +permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected +accounts and groups to match those defined in the domain AdminSDHolder object. + +The dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is +used to determine the behavior of Active Directory. + +Administrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the +16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s): + +* For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character +is set to 1 (i.e., 0000000001000001). + +The usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the +excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high +privileges. + +This rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field: + - Account Operators eq 1 + - Server Operators eq 2 + - Print Operators eq 4 + - Backup Operators eq 8 + The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; + for example, Backup Operators and Print Operators will set the `c` value on the bit. + +### False positive analysis + +- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) +should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group. + +### Response and remediation + +- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'Audit Directory Service Changes' logging policy must be configured for (Success). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success) +``` + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where event.action == "Directory Service Changes" and + event.code == "5136" and + winlog.event_data.AttributeLDAPDisplayName : "dSHeuristics" and + length(winlog.event_data.AttributeValue) > 15 and + winlog.event_data.AttributeValue regex~ "[0-9]{15}([1-9a-f]).*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adobe-hijack-persistence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adobe-hijack-persistence.asciidoc new file mode 100644 index 0000000000..e2eb84ef57 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-adobe-hijack-persistence.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-7-16-4-adobe-hijack-persistence]] +=== Adobe Hijack Persistence + +Detects writing executable files that will be automatically launched by Adobe on launch. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/pabraeken/status/997997818362155008 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 14 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Adobe Hijack Persistence + +Attackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched +whenever Adobe Acrobat Reader is executed. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "creation" and + file.path : ("?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe", + "?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe") and + not process.name : "msiexec.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Services File Permissions Weakness +** ID: T1574.010 +** Reference URL: https://attack.mitre.org/techniques/T1574/010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-apple-script-execution-followed-by-network-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-apple-script-execution-followed-by-network-connection.asciidoc new file mode 100644 index 0000000000..d1402cf1b7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-apple-script-execution-followed-by-network-connection.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-7-16-4-apple-script-execution-followed-by-network-connection]] +=== Apple Script Execution followed by Network Connection + +Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Command and Control +* Execution + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=30s + [process where event.type == "start" and process.name == "osascript"] + [network where event.type != "end" and process.name == "osascript" and destination.ip != "::1" and + not cidrmatch(destination.ip, + "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", + "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", + "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: AppleScript +** ID: T1059.002 +** Reference URL: https://attack.mitre.org/techniques/T1059/002/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-apple-scripting-execution-with-administrator-privileges.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-apple-scripting-execution-with-administrator-privileges.asciidoc new file mode 100644 index 0000000000..f04221fa9f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-apple-scripting-execution-with-administrator-privileges.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-7-16-4-apple-scripting-execution-with-administrator-privileges]] +=== Apple Scripting Execution with Administrator Privileges + +Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://discussions.apple.com/thread/2266150 + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Execution +* Privilege Escalation + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*with administrator privileges" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-application-added-to-google-workspace-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-application-added-to-google-workspace-domain.asciidoc new file mode 100644 index 0000000000..9788a7ec64 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-application-added-to-google-workspace-domain.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-application-added-to-google-workspace-domain]] +=== Application Added to Google Workspace Domain + +Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/6328701?hl=en# + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-create-okta-api-token.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-create-okta-api-token.asciidoc new file mode 100644 index 0000000000..b128d01f54 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-create-okta-api-token.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-attempt-to-create-okta-api-token]] +=== Attempt to Create Okta API Token + +Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:system.api_token.create + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-application.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-application.asciidoc new file mode 100644 index 0000000000..c4fbb2839e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-application.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-application]] +=== Attempt to Deactivate an Okta Application + +Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring +* Impact + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:application.lifecycle.deactivate + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-network-zone.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-network-zone.asciidoc new file mode 100644 index 0000000000..8d5c27a791 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-network-zone.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-network-zone]] +=== Attempt to Deactivate an Okta Network Zone + +Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Network Security +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:zone.deactivate + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-policy-rule.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-policy-rule.asciidoc new file mode 100644 index 0000000000..71559435a2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-policy-rule.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-policy-rule]] +=== Attempt to Deactivate an Okta Policy Rule + +Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:policy.rule.deactivate + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-policy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-policy.asciidoc new file mode 100644 index 0000000000..a4c783f674 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-policy.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-policy]] +=== Attempt to Deactivate an Okta Policy + +Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:policy.lifecycle.deactivate + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-mfa-for-an-okta-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-mfa-for-an-okta-user-account.asciidoc new file mode 100644 index 0000000000..350e3d18d5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-deactivate-mfa-for-an-okta-user-account.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-attempt-to-deactivate-mfa-for-an-okta-user-account]] +=== Attempt to Deactivate MFA for an Okta User Account + +Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:user.mfa.factor.deactivate + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-application.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-application.asciidoc new file mode 100644 index 0000000000..85add1f604 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-application.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-attempt-to-delete-an-okta-application]] +=== Attempt to Delete an Okta Application + +Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring +* Impact + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:application.lifecycle.delete + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-network-zone.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-network-zone.asciidoc new file mode 100644 index 0000000000..d5cd79465d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-network-zone.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-attempt-to-delete-an-okta-network-zone]] +=== Attempt to Delete an Okta Network Zone + +Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Network Security +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:zone.delete + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-policy-rule.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-policy-rule.asciidoc new file mode 100644 index 0000000000..3f7fbdd9fb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-policy-rule.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-attempt-to-delete-an-okta-policy-rule]] +=== Attempt to Delete an Okta Policy Rule + +Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:policy.rule.delete + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-policy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-policy.asciidoc new file mode 100644 index 0000000000..fc4668cd96 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-delete-an-okta-policy.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-attempt-to-delete-an-okta-policy]] +=== Attempt to Delete an Okta Policy + +Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:policy.lifecycle.delete + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-disable-iptables-or-firewall.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-disable-iptables-or-firewall.asciidoc new file mode 100644 index 0000000000..08ed35653f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-disable-iptables-or-firewall.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-7-16-4-attempt-to-disable-iptables-or-firewall]] +=== Attempt to Disable IPTables or Firewall + +Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and + process.name:ufw and process.args:(allow or disable or reset) or + + (((process.name:service and process.args:stop) or + (process.name:chkconfig and process.args:off) or + (process.name:systemctl and process.args:(disable or stop or kill))) and + process.args:(firewalld or ip6tables or iptables)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-install-root-certificate.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-install-root-certificate.asciidoc new file mode 100644 index 0000000000..f47f27291d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-install-root-certificate.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-7-16-4-attempt-to-install-root-certificate]] +=== Attempt to Install Root Certificate + +Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://ss64.com/osx/security-cert.html + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Defense Evasion + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and + process.name:security and process.args:"add-trusted-cert" and + not process.parent.executable:("/Library/Bitdefender/AVP/product/bin/BDCoreIssues" or "/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Subvert Trust Controls +** ID: T1553 +** Reference URL: https://attack.mitre.org/techniques/T1553/ +* Sub-technique: +** Name: Install Root Certificate +** ID: T1553.004 +** Reference URL: https://attack.mitre.org/techniques/T1553/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-application.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-application.asciidoc new file mode 100644 index 0000000000..86297e6ceb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-application.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-7-16-4-attempt-to-modify-an-okta-application]] +=== Attempt to Modify an Okta Application + +Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring +* Impact + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:application.lifecycle.update + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-network-zone.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-network-zone.asciidoc new file mode 100644 index 0000000000..1f7f128182 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-network-zone.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-attempt-to-modify-an-okta-network-zone]] +=== Attempt to Modify an Okta Network Zone + +Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Network Security +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-policy-rule.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-policy-rule.asciidoc new file mode 100644 index 0000000000..4b3a4a1a03 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-policy-rule.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-attempt-to-modify-an-okta-policy-rule]] +=== Attempt to Modify an Okta Policy Rule + +Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:policy.rule.update + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-policy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-policy.asciidoc new file mode 100644 index 0000000000..6e7cd74676 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-modify-an-okta-policy.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-attempt-to-modify-an-okta-policy]] +=== Attempt to Modify an Okta Policy + +Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:policy.lifecycle.update + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-mount-smb-share-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-mount-smb-share-via-command-line.asciidoc new file mode 100644 index 0000000000..0c0d00dcb2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-mount-smb-share-via-command-line.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-7-16-4-attempt-to-mount-smb-share-via-command-line]] +=== Attempt to Mount SMB Share via Command Line + +Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.freebsd.org/cgi/man.cgi?mount_smbfs +* https://ss64.com/osx/mount.html + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Lateral Movement + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ( + process.name : "mount_smbfs" or + (process.name : "open" and process.args : "smb://*") or + (process.name : "mount" and process.args : "smbfs") or + (process.name : "osascript" and process.command_line : "osascript*mount volume*smb://*") + ) and + not process.parent.executable : "/Applications/Google Drive.app/Contents/MacOS/Google Drive" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-remove-file-quarantine-attribute.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-remove-file-quarantine-attribute.asciidoc new file mode 100644 index 0000000000..0a394f3ffe --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-remove-file-quarantine-attribute.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-7-16-4-attempt-to-remove-file-quarantine-attribute]] +=== Attempt to Remove File Quarantine Attribute + +Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html +* https://ss64.com/osx/xattr.html + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : "xattr" and + ( + (process.args : "com.apple.quarantine" and process.args : ("-d", "-w")) or + (process.args : "-c") or + (process.command_line : ("/bin/bash -c xattr -c *", "/bin/zsh -c xattr -c *", "/bin/sh -c xattr -c *")) + ) and not process.args_count > 12 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-reset-mfa-factors-for-an-okta-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-reset-mfa-factors-for-an-okta-user-account.asciidoc new file mode 100644 index 0000000000..0277718a44 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-reset-mfa-factors-for-an-okta-user-account.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-attempt-to-reset-mfa-factors-for-an-okta-user-account]] +=== Attempt to Reset MFA Factors for an Okta User Account + +Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:user.mfa.factor.reset_all + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-revoke-okta-api-token.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-revoke-okta-api-token.asciidoc new file mode 100644 index 0000000000..3a6075bd20 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-revoke-okta-api-token.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-attempt-to-revoke-okta-api-token]] +=== Attempt to Revoke Okta API Token + +Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:system.api_token.revoke + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Account Access Removal +** ID: T1531 +** Reference URL: https://attack.mitre.org/techniques/T1531/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc new file mode 100644 index 0000000000..7c2440d9a8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-attempt-to-unload-elastic-endpoint-security-kernel-extension]] +=== Attempt to Unload Elastic Endpoint Security Kernel Extension + +Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Defense Evasion + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and + process.name:kextunload and process.args:("/System/Library/Extensions/EndpointSecurity.kext" or "EndpointSecurity.kext") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempted-bypass-of-okta-mfa.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempted-bypass-of-okta-mfa.asciidoc new file mode 100644 index 0000000000..e33b7279cc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempted-bypass-of-okta-mfa.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-attempted-bypass-of-okta-mfa]] +=== Attempted Bypass of Okta MFA + +Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:user.mfa.attempt_bypass + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Multi-Factor Authentication Interception +** ID: T1111 +** Reference URL: https://attack.mitre.org/techniques/T1111/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc new file mode 100644 index 0000000000..fc142bd149 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-attempts-to-brute-force-a-microsoft-365-user-account]] +=== Attempts to Brute Force a Microsoft 365 User Account + +Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 10 + +*Rule authors*: + +* Elastic +* Willem D'Haese +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and + event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and + not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or + UserStrongAuthClientAuthNRequired or InvalidReplyTo) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempts-to-brute-force-an-okta-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempts-to-brute-force-an-okta-user-account.asciidoc new file mode 100644 index 0000000000..6d9c1d6d52 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-attempts-to-brute-force-an-okta-user-account.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-attempts-to-brute-force-an-okta-user-account]] +=== Attempts to Brute Force an Okta User Account + +Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-180m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic +* @BenB196 +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:user.account.lock + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-login-attempt-at-forbidden-time.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-login-attempt-at-forbidden-time.asciidoc new file mode 100644 index 0000000000..17c6ccab52 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-login-attempt-at-forbidden-time.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-7-16-4-auditd-login-attempt-at-forbidden-time]] +=== Auditd Login Attempt at Forbidden Time + +Identifies that a login attempt occurred at a forbidden time. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666 + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Initial Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.module:auditd and event.action:"attempted-log-in-during-unusual-hour-to" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-login-from-forbidden-location.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-login-from-forbidden-location.asciidoc new file mode 100644 index 0000000000..4c8655ef62 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-login-from-forbidden-location.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-7-16-4-auditd-login-from-forbidden-location]] +=== Auditd Login from Forbidden Location + +Identifies that a login attempt has happened from a forbidden location. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412 + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Initial Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.module:auditd and event.action:"attempted-log-in-from-unusual-place-to" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-max-failed-login-attempts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-max-failed-login-attempts.asciidoc new file mode 100644 index 0000000000..a5025ffc99 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-max-failed-login-attempts.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-7-16-4-auditd-max-failed-login-attempts]] +=== Auditd Max Failed Login Attempts + +Identifies that the maximum number of failed login attempts has been reached for a user. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574 + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Initial Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.module:auditd and event.action:"failed-log-in-too-many-times-to" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-max-login-sessions.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-max-login-sessions.asciidoc new file mode 100644 index 0000000000..a63af6683c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-auditd-max-login-sessions.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-7-16-4-auditd-max-login-sessions]] +=== Auditd Max Login Sessions + +Identifies that the maximum number login sessions has been reached for a user. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007 + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Initial Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.module:auditd and event.action:"opened-too-many-sessions-to" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-authorization-plugin-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-authorization-plugin-modification.asciidoc new file mode 100644 index 0000000000..c23fd56998 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-authorization-plugin-modification.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-7-16-4-authorization-plugin-modification]] +=== Authorization Plugin Modification + +Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/documentation/security/authorization_plug-ins +* https://www.xorrior.com/persistent-credential-theft/ + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and not event.type:deletion and + file.path:(/Library/Security/SecurityAgentPlugins/* and + not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and + not process.name:shove and process.code_signature.trusted:true + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Authentication Package +** ID: T1547.002 +** Reference URL: https://attack.mitre.org/techniques/T1547/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-access-secret-in-secrets-manager.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-access-secret-in-secrets-manager.asciidoc new file mode 100644 index 0000000000..8b86742fc5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-access-secret-in-secrets-manager.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-7-16-4-aws-access-secret-in-secrets-manager]] +=== AWS Access Secret in Secrets Manager + +An adversary may attempt to access the secrets in AWS Secrets Manager to steal certificates, credentials, or other sensitive material. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html +* http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/ + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Data Protection +* Credential Access + +*Version*: 8 + +*Rule authors*: + +* Nick Jones +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS Access Secret in Secrets Manager + +AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with +an API call to Secrets Manager to retrieve the secret programmatically. + +This rule looks for the retrieval of credentials using the API `GetSecretValue` action. + +#### Possible investigation steps + +- Identify the account and its role in the environment, and inspect the related policy. +- Identify the applications that should use this account. +- Investigate other alerts associated with the user account during the past 48 hours. +- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage +and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users. +- Contact the account owner and confirm whether they are aware of this activity. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Review IAM permission policies for the user identity and specific secrets accessed. +- Examine the request parameters. These might indicate the source of the program or the nature of its tasks. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher +confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Application Access Token +** ID: T1528 +** Reference URL: https://attack.mitre.org/techniques/T1528/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-created.asciidoc new file mode 100644 index 0000000000..6883e12d6b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-created.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-aws-cloudtrail-log-created]] +=== AWS CloudTrail Log Created + +Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Cloud Storage Object +** ID: T1530 +** Reference URL: https://attack.mitre.org/techniques/T1530/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-deleted.asciidoc new file mode 100644 index 0000000000..20abbe250d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-deleted.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-7-16-4-aws-cloudtrail-log-deleted]] +=== AWS CloudTrail Log Deleted + +Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS CloudTrail Log Deleted + +Amazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your +Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to +actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services +account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and +other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and +troubleshooting. + +This rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to +cover their tracks and impact security monitoring that relies on this source. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and IP address conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-suspended.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-suspended.asciidoc new file mode 100644 index 0000000000..af21b3b541 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-suspended.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-7-16-4-aws-cloudtrail-log-suspended]] +=== AWS CloudTrail Log Suspended + +Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS CloudTrail Log Suspended + +Amazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your +Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to +actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services +account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and +other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and +troubleshooting. + +This rule identifies the suspension of an AWS log trail using the API `StopLogging` action. Attackers can do this to +cover their tracks and impact security monitoring that relies on this source. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and IP address conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-updated.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-updated.asciidoc new file mode 100644 index 0000000000..1cf4ff22a3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudtrail-log-updated.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-7-16-4-aws-cloudtrail-log-updated]] +=== AWS CloudTrail Log Updated + +Identifies an update to an AWS log trail setting that specifies the delivery of log files. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS CloudTrail Log Updated + +Amazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your +Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to +actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services +account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and +other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and +troubleshooting. + +This rule identifies a modification on CloudTrail settings using the API `UpdateTrail` action. Attackers can do this to +cover their tracks and impact security monitoring that relies on this source. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Examine the response elements of the event to determine the scope of the changes. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and IP address conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Manipulation +** ID: T1565 +** Reference URL: https://attack.mitre.org/techniques/T1565/ +* Sub-technique: +** Name: Stored Data Manipulation +** ID: T1565.001 +** Reference URL: https://attack.mitre.org/techniques/T1565/001/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Cloud Storage Object +** ID: T1530 +** Reference URL: https://attack.mitre.org/techniques/T1530/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudwatch-alarm-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudwatch-alarm-deletion.asciidoc new file mode 100644 index 0000000000..6ce4968aed --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudwatch-alarm-deletion.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-7-16-4-aws-cloudwatch-alarm-deletion]] +=== AWS CloudWatch Alarm Deletion + +Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html +* https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS CloudWatch Alarm Deletion + +Amazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of +logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize +logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your +applications running smoothly. + +CloudWatch Alarms is a feature that allows you to watch CloudWatch metrics and to receive notifications when the metrics +fall outside of the levels (high or low thresholds) that you configure. + +This rule looks for the deletion of a alarm using the API `DeleteAlarms` action. Attackers can do this to cover their +tracks and evade security defenses. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if there is a justification for this behavior. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and IP address conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudwatch-log-group-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudwatch-log-group-deletion.asciidoc new file mode 100644 index 0000000000..d307cc3a79 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudwatch-log-group-deletion.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-7-16-4-aws-cloudwatch-log-group-deletion]] +=== AWS CloudWatch Log Group Deletion + +Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html +* https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS CloudWatch Log Group Deletion + +Amazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of +logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize +logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your +applications running smoothly. + +A log group is a group of log streams that share the same retention, monitoring, and access control settings. You can +define log groups and specify which streams to put into each group. There is no limit on the number of log streams that +can belong to one log group. + +This rule looks for the deletion of a log group using the API `DeleteLogGroup` action. Attackers can do this to cover +their tracks and impact security monitoring that relies on these sources. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Investigate the deleted log group's criticality and whether the responsible team is aware of the deletion. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and IP address conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudwatch-log-stream-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudwatch-log-stream-deletion.asciidoc new file mode 100644 index 0000000000..6347d77a54 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-cloudwatch-log-stream-deletion.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-7-16-4-aws-cloudwatch-log-stream-deletion]] +=== AWS CloudWatch Log Stream Deletion + +Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html +* https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Log Auditing +* Impact + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS CloudWatch Log Stream Deletion + +Amazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of +logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize +logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your +applications running smoothly. + +A log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs +makes up a separate log stream. + +This rule looks for the deletion of a log stream using the API `DeleteLogStream` action. Attackers can do this to cover +their tracks and impact security monitoring that relies on these sources. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Investigate the deleted log stream's criticality and whether the responsible team is aware of the deletion. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and IP address conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-config-resource-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-config-resource-deletion.asciidoc new file mode 100644 index 0000000000..9b564a274f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-config-resource-deletion.asciidoc @@ -0,0 +1,137 @@ +[[prebuilt-rule-7-16-4-aws-config-resource-deletion]] +=== AWS Config Resource Deletion + +Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and/or its workload instances. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html +* https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 9 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS Config Resource Deletion + +AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the +resources are related to one another and how they were configured in the past so that you can see how the configurations +and relationships change over time. + +This rule looks for the deletion of AWS Config resources using various API actions. Attackers can do this to cover their +tracks and impact security monitoring that relies on these sources. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Identify the AWS resource that was involved and its criticality, ownership, and role in the environment. Also investigate +if the resource is security-related. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and IP address conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and + event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or + DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or + DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-configuration-recorder-stopped.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-configuration-recorder-stopped.asciidoc new file mode 100644 index 0000000000..9499000846 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-configuration-recorder-stopped.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-aws-configuration-recorder-stopped]] +=== AWS Configuration Recorder Stopped + +Identifies an AWS configuration change to stop recording a designated set of resources. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html +* https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-deletion-of-rds-instance-or-cluster.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-deletion-of-rds-instance-or-cluster.asciidoc new file mode 100644 index 0000000000..5d52458316 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-deletion-of-rds-instance-or-cluster.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-aws-deletion-of-rds-instance-or-cluster]] +=== AWS Deletion of RDS Instance or Cluster + +Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) +and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-encryption-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-encryption-disabled.asciidoc new file mode 100644 index 0000000000..e55db2d4d2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-encryption-disabled.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-aws-ec2-encryption-disabled]] +=== AWS EC2 Encryption Disabled + +Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Data Protection + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Manipulation +** ID: T1565 +** Reference URL: https://attack.mitre.org/techniques/T1565/ +* Sub-technique: +** Name: Stored Data Manipulation +** ID: T1565.001 +** Reference URL: https://attack.mitre.org/techniques/T1565/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-full-network-packet-capture-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-full-network-packet-capture-detected.asciidoc new file mode 100644 index 0000000000..c8ace9a33b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-full-network-packet-capture-detected.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-7-16-4-aws-ec2-full-network-packet-capture-detected]] +=== AWS EC2 Full Network Packet Capture Detected + +Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html +* https://github.com/easttimor/aws-incident-response + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 5 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and +event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Automated Exfiltration +** ID: T1020 +** Reference URL: https://attack.mitre.org/techniques/T1020/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data Staged +** ID: T1074 +** Reference URL: https://attack.mitre.org/techniques/T1074/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-network-access-control-list-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-network-access-control-list-creation.asciidoc new file mode 100644 index 0000000000..6995ca97d8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-network-access-control-list-creation.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-aws-ec2-network-access-control-list-creation]] +=== AWS EC2 Network Access Control List Creation + +Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: External Remote Services +** ID: T1133 +** Reference URL: https://attack.mitre.org/techniques/T1133/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-network-access-control-list-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-network-access-control-list-deletion.asciidoc new file mode 100644 index 0000000000..c0709fd7c9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-network-access-control-list-deletion.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-aws-ec2-network-access-control-list-deletion]] +=== AWS EC2 Network Access Control List Deletion + +Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-snapshot-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-snapshot-activity.asciidoc new file mode 100644 index 0000000000..cabf4203ad --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-snapshot-activity.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-7-16-4-aws-ec2-snapshot-activity]] +=== AWS EC2 Snapshot Activity + +An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility +* Exfiltration + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS EC2 Snapshot Activity + +Amazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System +administrators commonly use this for backup operations and data recovery. + +This rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be +used to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail. +- Investigate other alerts associated with the user account during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users. +- Contact the account owner and confirm whether they are aware of this activity. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Check if this operation was approved and performed according to the organization's change management policy. +- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and IP address conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-vm-export-failure.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-vm-export-failure.asciidoc new file mode 100644 index 0000000000..f1e92ab98c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-ec2-vm-export-failure.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-aws-ec2-vm-export-failure]] +=== AWS EC2 VM Export Failure + +Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 5 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-efs-file-system-or-mount-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-efs-file-system-or-mount-deleted.asciidoc new file mode 100644 index 0000000000..031e624c49 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-efs-file-system-or-mount-deleted.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-aws-efs-file-system-or-mount-deleted]] +=== AWS EFS File System or Mount Deleted + +Detects when an EFS file system or mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the file system, or the adversary will be unable to delete the file system. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html +* https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Data Protection + +*Version*: 6 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and +event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-elasticache-security-group-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-elasticache-security-group-created.asciidoc new file mode 100644 index 0000000000..657f6c9fa0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-elasticache-security-group-created.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-aws-elasticache-security-group-created]] +=== AWS ElastiCache Security Group Created + +Identifies when an ElastiCache security group has been created. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 5 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-elasticache-security-group-modified-or-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-elasticache-security-group-modified-or-deleted.asciidoc new file mode 100644 index 0000000000..70271fdcd5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-elasticache-security-group-modified-or-deleted.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-aws-elasticache-security-group-modified-or-deleted]] +=== AWS ElastiCache Security Group Modified or Deleted + +Identifies when an ElastiCache security group has been modified or deleted. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 5 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or +"Authorize Cache Security Group Ingress" or "Revoke Cache Security Group Ingress" or "AuthorizeCacheSecurityGroupEgress" or +"RevokeCacheSecurityGroupEgress") and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-eventbridge-rule-disabled-or-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-eventbridge-rule-disabled-or-deleted.asciidoc new file mode 100644 index 0000000000..0cb30112eb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-eventbridge-rule-disabled-or-deleted.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-aws-eventbridge-rule-disabled-or-deleted]] +=== AWS EventBridge Rule Disabled or Deleted + +Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html +* https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring +* Impact + +*Version*: 6 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-execution-via-system-manager.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-execution-via-system-manager.asciidoc new file mode 100644 index 0000000000..088f04021c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-execution-via-system-manager.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-7-16-4-aws-execution-via-system-manager]] +=== AWS Execution via System Manager + +Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Log Auditing +* Initial Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS Execution via System Manager + +Amazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply +operating system patches, create system images, and configure Windows and Linux operating systems. + +This rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these +scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate +software installations. +- Investigate the commands or scripts using host-level visibility. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users. +- Contact the account owner and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and IP address conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-guardduty-detector-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-guardduty-detector-deletion.asciidoc new file mode 100644 index 0000000000..c1322fb5f9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-guardduty-detector-deletion.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-aws-guardduty-detector-deletion]] +=== AWS GuardDuty Detector Deletion + +Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html +* https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-assume-role-policy-update.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-assume-role-policy-update.asciidoc new file mode 100644 index 0000000000..6212e13319 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-assume-role-policy-update.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-7-16-4-aws-iam-assume-role-policy-update]] +=== AWS IAM Assume Role Policy Update + +Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS IAM Assume Role Policy Update + +An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar +to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot +do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone +who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated +with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. + +The role trust policy is a JSON document in which you define the principals you trust to assume the role. This policy is +a required resource-based policy that is attached to a role in IAM. An attacker may attempt to modify this policy by +using the `UpdateAssumeRolePolicy` API action to gain the privileges of that role. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher +confidence. Consider adding exceptions — preferably with a combination of the user agent and user ID conditions — to +cover administrator activities and infrastructure as code tooling. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Use AWS [policy versioning](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html) to restore the trust policy to the desired state. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other +IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-brute-force-of-assume-role-policy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-brute-force-of-assume-role-policy.asciidoc new file mode 100644 index 0000000000..29c22cbbec --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-brute-force-of-assume-role-policy.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-7-16-4-aws-iam-brute-force-of-assume-role-policy]] +=== AWS IAM Brute Force of Assume Role Policy + +Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities +* https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS IAM Brute Force of Assume Role Policy + +An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar +to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot +do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone +who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated +with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. + +Attackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or +hijack the discovered role. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute +force attack. +- Verify if the user account successfully updated a trust policy in the last 24 hours. +- Examine whether this role existed in the environment by looking for past occurrences in your logs. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal +time of day? +- Examine the account's commands, API calls, and data management actions in the last 24 hours. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment. +If only one role was targeted in the requests and that role previously existed, it may be a false positive, since +automations can continue targeting roles that existed in the environment in the past and cause false positives (FPs). + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other +IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and + event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and + aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-deactivation-of-mfa-device.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-deactivation-of-mfa-device.asciidoc new file mode 100644 index 0000000000..22e196e7dd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-deactivation-of-mfa-device.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-7-16-4-aws-iam-deactivation-of-mfa-device]] +=== AWS IAM Deactivation of MFA Device + +Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html +* https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 8 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS IAM Deactivation of MFA Device + +Multi-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your +user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for +their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA +device (the second factor—what they have). Taken together, these multiple factors provide increased security for your +AWS account settings and resources. + +For more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html). + +This rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can +lead to the compromise of accounts and other assets. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- While this activity can be done by administrators, all users must use MFA. The security team should address any +potential benign true positive (B-TP), as this configuration can risk the user and domain. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Reactivate multi-factor authentication for the user. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Account Access Removal +** ID: T1531 +** Reference URL: https://attack.mitre.org/techniques/T1531/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-group-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-group-creation.asciidoc new file mode 100644 index 0000000000..04bd2c18d7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-group-creation.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-aws-iam-group-creation]] +=== AWS IAM Group Creation + +Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html +* https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Cloud Account +** ID: T1136.003 +** Reference URL: https://attack.mitre.org/techniques/T1136/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-group-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-group-deletion.asciidoc new file mode 100644 index 0000000000..c5ba719255 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-group-deletion.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-aws-iam-group-deletion]] +=== AWS IAM Group Deletion + +Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html +* https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Account Access Removal +** ID: T1531 +** Reference URL: https://attack.mitre.org/techniques/T1531/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-password-recovery-requested.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-password-recovery-requested.asciidoc new file mode 100644 index 0000000000..f37dba510d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-password-recovery-requested.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-aws-iam-password-recovery-requested]] +=== AWS IAM Password Recovery Requested + +Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/ + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-user-addition-to-group.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-user-addition-to-group.asciidoc new file mode 100644 index 0000000000..ed2e1fb872 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-iam-user-addition-to-group.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-7-16-4-aws-iam-user-addition-to-group]] +=== AWS IAM User Addition to Group + +Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access +* Credential Access +* Persistence + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS IAM User Addition to Group + +AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify +who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to +your workforce and systems to ensure least-privilege permissions. + +This rule looks for the addition of users to a specified user group. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher +confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions — to +reduce noise from onboarding processes and administrator activities. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other +IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-management-console-brute-force-of-root-user-identity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-management-console-brute-force-of-root-user-identity.asciidoc new file mode 100644 index 0000000000..9c63719f8b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-management-console-brute-force-of-root-user-identity.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-aws-management-console-brute-force-of-root-user-identity]] +=== AWS Management Console Brute Force of Root User Identity + +Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-management-console-root-login.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-management-console-root-login.asciidoc new file mode 100644 index 0000000000..4e31c3d272 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-management-console-root-login.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-7-16-4-aws-management-console-root-login]] +=== AWS Management Console Root Login + +Identifies a successful login to the AWS Management Console by the Root user. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS Management Console Root Login + +The AWS root account is the one identity that has complete access to all AWS services and resources in the account, +which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your +everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create +your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and +service management tasks. AWS provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root). + +This rule looks for attempts to log in to the AWS Management Console as the root user. + +#### Possible investigation steps + +- Investigate other alerts associated with the user account during the past 48 hours. +- Examine whether this activity is common in the environment by looking for past occurrences on your logs. +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the + calling user? +- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours. +- Contact the account owner and confirm whether they are aware of this activity. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers, +services, and data accessed by the account in the last 24 hours. + +### False positive analysis + +- The alert can be dismissed if this operation is done under change management and approved according to the +organization's policy for performing a task that needs this privilege level. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Identify the services or servers involved criticality. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify if there are any regulatory or legal ramifications related to this activity. +- Configure multi-factor authentication for the user. +- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-cluster-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-cluster-creation.asciidoc new file mode 100644 index 0000000000..83351944e8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-cluster-creation.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-aws-rds-cluster-creation]] +=== AWS RDS Cluster Creation + +Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: External Remote Services +** ID: T1133 +** Reference URL: https://attack.mitre.org/techniques/T1133/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-instance-cluster-stoppage.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-instance-cluster-stoppage.asciidoc new file mode 100644 index 0000000000..1eb58361c3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-instance-cluster-stoppage.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-aws-rds-instance-cluster-stoppage]] +=== AWS RDS Instance/Cluster Stoppage + +Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-instance-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-instance-creation.asciidoc new file mode 100644 index 0000000000..23ec234639 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-instance-creation.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-aws-rds-instance-creation]] +=== AWS RDS Instance Creation + +Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility +* Persistence + +*Version*: 6 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-security-group-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-security-group-creation.asciidoc new file mode 100644 index 0000000000..c00c965d9a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-security-group-creation.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-aws-rds-security-group-creation]] +=== AWS RDS Security Group Creation + +Identifies the creation of an Amazon Relational Database Service (RDS) Security group. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 6 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Cloud Account +** ID: T1136.003 +** Reference URL: https://attack.mitre.org/techniques/T1136/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-security-group-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-security-group-deletion.asciidoc new file mode 100644 index 0000000000..34449b3d0b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-security-group-deletion.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-aws-rds-security-group-deletion]] +=== AWS RDS Security Group Deletion + +Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 6 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Account Access Removal +** ID: T1531 +** Reference URL: https://attack.mitre.org/techniques/T1531/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-snapshot-export.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-snapshot-export.asciidoc new file mode 100644 index 0000000000..33ad578f8d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-snapshot-export.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-aws-rds-snapshot-export]] +=== AWS RDS Snapshot Export + +Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility +* Exfiltration + +*Version*: 4 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-snapshot-restored.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-snapshot-restored.asciidoc new file mode 100644 index 0000000000..b6745492ac --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-rds-snapshot-restored.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-aws-rds-snapshot-restored]] +=== AWS RDS Snapshot Restored + +Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html +* https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Cloud Compute Infrastructure +** ID: T1578 +** Reference URL: https://attack.mitre.org/techniques/T1578/ +* Sub-technique: +** Name: Revert Cloud Instance +** ID: T1578.004 +** Reference URL: https://attack.mitre.org/techniques/T1578/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-redshift-cluster-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-redshift-cluster-creation.asciidoc new file mode 100644 index 0000000000..cd65434186 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-redshift-cluster-creation.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-7-16-4-aws-redshift-cluster-creation]] +=== AWS Redshift Cluster Creation + +Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility +* Persistence + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-root-login-without-mfa.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-root-login-without-mfa.asciidoc new file mode 100644 index 0000000000..413ec33802 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-root-login-without-mfa.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-7-16-4-aws-root-login-without-mfa]] +=== AWS Root Login Without MFA + +Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS Root Login Without MFA + +Multi-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your +user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for +their user name and password, as well as for an authentication code from their AWS MFA device. Taken together, these +multiple factors provide increased security for your AWS account settings and resources. + +For more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html). + +The AWS root account is the one identity that has complete access to all AWS services and resources in the account, +which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your +everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create +your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and +service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root). + +This rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning +the account is not secured properly. + +#### Possible investigation steps + +- Investigate other alerts associated with the user account during the past 48 hours. +- Examine whether this activity is common in the environment by looking for past occurrences on your logs. +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the + calling user? +- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours. +- Contact the account owner and confirm whether they are aware of this activity. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers, +services, and data accessed by the account in the last 24 hours. + +### False positive analysis + +- While this activity is not inherently malicious, the root account must use MFA. The security team should address any +potential benign true positive (B-TP), as this configuration can risk the entire cloud environment. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Identify the services or servers involved criticality. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify if there are any regulatory or legal ramifications related to this activity. +- Configure multi-factor authentication for the user. +- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and + aws.cloudtrail.user_identity.type:Root and + aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and + event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-53-domain-transfer-lock-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-53-domain-transfer-lock-disabled.asciidoc new file mode 100644 index 0000000000..fd400ab8ec --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-53-domain-transfer-lock-disabled.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-aws-route-53-domain-transfer-lock-disabled]] +=== AWS Route 53 Domain Transfer Lock Disabled + +Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html +* https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 4 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-53-domain-transferred-to-another-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-53-domain-transferred-to-another-account.asciidoc new file mode 100644 index 0000000000..f758a6ec08 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-53-domain-transferred-to-another-account.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-aws-route-53-domain-transferred-to-another-account]] +=== AWS Route 53 Domain Transferred to Another Account + +Identifies when a request has been made to transfer a Route 53 domain to another AWS account. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 4 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-table-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-table-created.asciidoc new file mode 100644 index 0000000000..14113bb574 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-table-created.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-aws-route-table-created]] +=== AWS Route Table Created + +Identifies when an AWS Route Table has been created. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/ +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Network Security +* Persistence + +*Version*: 6 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-table-modified-or-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-table-modified-or-deleted.asciidoc new file mode 100644 index 0000000000..434f3c92d7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route-table-modified-or-deleted.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-aws-route-table-modified-or-deleted]] +=== AWS Route Table Modified or Deleted + +Identifies when an AWS Route Table has been modified or deleted. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/easttimor/aws-incident-response#network-routing +* https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/ +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Network Security +* Persistence + +*Version*: 6 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or +DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc new file mode 100644 index 0000000000..9fa0ed6d0b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-aws-route53-private-hosted-zone-associated-with-a-vpc]] +=== AWS Route 53 private hosted zone associated with a VPC + +Identifies when a Route 53 private hosted zone has been associated with a virtual private cloud (VPC). + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 4 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-s3-bucket-configuration-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-s3-bucket-configuration-deletion.asciidoc new file mode 100644 index 0000000000..978ffb2f23 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-s3-bucket-configuration-deletion.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-aws-s3-bucket-configuration-deletion]] +=== AWS S3 Bucket Configuration Deletion + +Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html +* https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html +* https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html +* https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html +* https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and + event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or + DeleteBucketEncryption or DeleteBucketLifecycle) + and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-saml-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-saml-activity.asciidoc new file mode 100644 index 0000000000..807804dc33 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-saml-activity.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-7-16-4-aws-saml-activity]] +=== AWS SAML Activity + +Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html +* https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or +UpdateSAMLProvider) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Application Access Token +** ID: T1550.001 +** Reference URL: https://attack.mitre.org/techniques/T1550/001/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-security-group-configuration-change-detection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-security-group-configuration-change-detection.asciidoc new file mode 100644 index 0000000000..9a41e6b155 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-security-group-configuration-change-detection.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-7-16-4-aws-security-group-configuration-change-detection]] +=== AWS Security Group Configuration Change Detection + +Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 7 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or +CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or +RevokeSecurityGroupIngress) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-security-token-service-sts-assumerole-usage.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-security-token-service-sts-assumerole-usage.asciidoc new file mode 100644 index 0000000000..588a03ce17 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-security-token-service-sts-assumerole-usage.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-aws-security-token-service-sts-assumerole-usage]] +=== AWS Security Token Service (STS) AssumeRole Usage + +Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and +aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Application Access Token +** ID: T1550.001 +** Reference URL: https://attack.mitre.org/techniques/T1550/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-sts-getsessiontoken-abuse.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-sts-getsessiontoken-abuse.asciidoc new file mode 100644 index 0000000000..f76f247e79 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-sts-getsessiontoken-abuse.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-aws-sts-getsessiontoken-abuse]] +=== AWS STS GetSessionToken Abuse + +Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 4 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and +aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Application Access Token +** ID: T1550.001 +** Reference URL: https://attack.mitre.org/techniques/T1550/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-vpc-flow-logs-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-vpc-flow-logs-deletion.asciidoc new file mode 100644 index 0000000000..5cd567f0b5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-vpc-flow-logs-deletion.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-7-16-4-aws-vpc-flow-logs-deletion]] +=== AWS VPC Flow Logs Deletion + +Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS VPC Flow Logs Deletion + +VPC Flow Logs is an AWS feature that enables you to capture information about the IP traffic going to and from network +interfaces in your virtual private cloud (VPC). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. + +This rule identifies the deletion of VPC flow logs using the API `DeleteFlowLogs` action. Attackers can do this to cover +their tracks and impact security monitoring that relies on this source. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and IP address conditions. +- Administrators may rotate these logs after a certain period as part of their retention policy or after importing them +to a SIEM. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-waf-access-control-list-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-waf-access-control-list-deletion.asciidoc new file mode 100644 index 0000000000..5edb72a67e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-waf-access-control-list-deletion.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-aws-waf-access-control-list-deletion]] +=== AWS WAF Access Control List Deletion + +Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html +* https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-waf-rule-or-rule-group-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-waf-rule-or-rule-group-deletion.asciidoc new file mode 100644 index 0000000000..71e0ec1453 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-aws-waf-rule-or-rule-group-deletion.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-aws-waf-rule-or-rule-group-deletion]] +=== AWS WAF Rule or Rule Group Deletion + +Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html +* https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-active-directory-high-risk-sign-in.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-active-directory-high-risk-sign-in.asciidoc new file mode 100644 index 0000000000..946517f3e3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-active-directory-high-risk-sign-in.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-7-16-4-azure-active-directory-high-risk-sign-in]] +=== Azure Active Directory High Risk Sign-in + +Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher suspicion that the user or sign-in is compromised. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk +* https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection +* https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 6 + +*Rule authors*: + +* Elastic +* Willem D'Haese + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Azure Active Directory High Risk Sign-in + +Microsoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks. + +This rule identifies events produced by Microsoft Identity Protection with high risk levels or high aggregated risk level. + +#### Possible investigation steps + +- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection). +- Identify the user account involved and validate whether the suspicious activity is normal for that user. + - Consider the source IP address and geolocation for the involved user account. Do they look normal? + - Consider the device used to sign in. Is it registered and compliant? +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account owner and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and device conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other +IAM users. +- Consider enabling multi-factor authentication for users. +- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +Note that details for `azure.signinlogs.properties.risk_level_during_signin` and `azure.signinlogs.properties.risk_level_aggregated` +are only available for Azure AD Premium P2 customers. All other customers will be returned `hidden`. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.signinlogs and + (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and + event.outcome:(success or Success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc new file mode 100644 index 0000000000..3a84ccc6de --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-7-16-4-azure-active-directory-high-risk-user-sign-in-heuristic]] +=== Azure Active Directory High Risk User Sign-in Heuristic + +Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema +* https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection +* https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk +* https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#investigation-framework + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 4 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Azure Active Directory High Risk User Sign-in Heuristic + +Microsoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks. + +This rule identifies events produced by the Microsoft Identity Protection with a risk state equal to `confirmedCompromised` +or `atRisk`. + +#### Possible investigation steps + +- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection). +- Identify the user account involved and validate whether the suspicious activity is normal for that user. + - Consider the source IP address and geolocation for the involved user account. Do they look normal? + - Consider the device used to sign in. Is it registered and compliant? +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account owner and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and device conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other +IAM users. +- Consider enabling multi-factor authentication for users. +- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.signinlogs and + azure.signinlogs.properties.risk_state:("confirmedCompromised" or "atRisk") and event.outcome:(success or Success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-active-directory-powershell-sign-in.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-active-directory-powershell-sign-in.asciidoc new file mode 100644 index 0000000000..484e4c1652 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-active-directory-powershell-sign-in.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-7-16-4-azure-active-directory-powershell-sign-in]] +=== Azure Active Directory PowerShell Sign-in + +Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ +* https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Azure Active Directory PowerShell Sign-in + +Azure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT professionals commonly use to manage +their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the +directory, create new objects in the directory, update existing objects, remove objects, as well as configure the +directory and its features. + +This rule identifies sign-ins that use the Azure Active Directory PowerShell module, which can indicate unauthorized +access if done outside of IT or engineering. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Evaluate whether the user needs to access Azure AD using PowerShell to complete its tasks. +- Investigate other alerts associated with the user account during the past 48 hours. +- Consider the source IP address and geolocation for the involved user account. Do they look normal? +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate suspicious actions taken by the user using the module, for example, modifications in security settings +that weakens the security policy, persistence-related tasks, and data access. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding IT, Engineering, and other authorized users +as exceptions — preferably with a combination of user and device conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other +IAM users. +- Consider enabling multi-factor authentication for users. +- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.signinlogs and + azure.signinlogs.properties.app_display_name:"Azure Active Directory PowerShell" and + azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-ad-global-administrator-role-assigned.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-ad-global-administrator-role-assigned.asciidoc new file mode 100644 index 0000000000..92311cd7ff --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-ad-global-administrator-role-assigned.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-azure-ad-global-administrator-role-assigned]] +=== Azure AD Global Administrator Role Assigned + +In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities, such as the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and +azure.auditlogs.operation_name:"Add member to role" and +azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\"Global Administrator\"" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Cloud Roles +** ID: T1098.003 +** Reference URL: https://attack.mitre.org/techniques/T1098/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-alert-suppression-rule-created-or-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-alert-suppression-rule-created-or-modified.asciidoc new file mode 100644 index 0000000000..b5747a7a8d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-alert-suppression-rule-created-or-modified.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-azure-alert-suppression-rule-created-or-modified]] +=== Azure Alert Suppression Rule Created or Modified + +Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +* https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 5 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and +event.outcome: "success" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-application-credential-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-application-credential-modification.asciidoc new file mode 100644 index 0000000000..22623b18c3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-application-credential-modification.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-azure-application-credential-modification]] +=== Azure Application Credential Modification + +Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Application Access Token +** ID: T1550.001 +** Reference URL: https://attack.mitre.org/techniques/T1550/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-account-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-account-created.asciidoc new file mode 100644 index 0000000000..095ce4eac0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-account-created.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-7-16-4-azure-automation-account-created]] +=== Azure Automation Account Created + +Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor +* https://github.com/hausec/PowerZure +* https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a +* https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/ + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-runbook-created-or-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-runbook-created-or-modified.asciidoc new file mode 100644 index 0000000000..4fa8b3ac96 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-runbook-created-or-modified.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-7-16-4-azure-automation-runbook-created-or-modified]] +=== Azure Automation Runbook Created or Modified + +Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor +* https://github.com/hausec/PowerZure +* https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a +* https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/ + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and + azure.activitylogs.operation_name: + ( + "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE" or + "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE" or + "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION" + ) and + event.outcome:(Success or success) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-runbook-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-runbook-deleted.asciidoc new file mode 100644 index 0000000000..a410436ac2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-runbook-deleted.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-azure-automation-runbook-deleted]] +=== Azure Automation Runbook Deleted + +Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor +* https://github.com/hausec/PowerZure +* https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a +* https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/ + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Configuration Audit +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and + azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and + event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-webhook-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-webhook-created.asciidoc new file mode 100644 index 0000000000..1316e35b3a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-automation-webhook-created.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-azure-automation-webhook-created]] +=== Azure Automation Webhook Created + +Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor +* https://github.com/hausec/PowerZure +* https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a +* https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/ + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and + azure.activitylogs.operation_name: + ( + "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION" or + "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE" + ) and + event.outcome:(Success or success) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-blob-container-access-level-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-blob-container-access-level-modification.asciidoc new file mode 100644 index 0000000000..1a2e6b202e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-blob-container-access-level-modification.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-azure-blob-container-access-level-modification]] +=== Azure Blob Container Access Level Modification + +Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Cloud Service Discovery +** ID: T1526 +** Reference URL: https://attack.mitre.org/techniques/T1526/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-blob-permissions-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-blob-permissions-modification.asciidoc new file mode 100644 index 0000000000..a799328bdd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-blob-permissions-modification.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-azure-blob-permissions-modification]] +=== Azure Blob Permissions Modification + +Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 4 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( + "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION" or + "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION") and + event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-command-execution-on-virtual-machine.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-command-execution-on-virtual-machine.asciidoc new file mode 100644 index 0000000000..85f34ea84a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-command-execution-on-virtual-machine.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-azure-command-execution-on-virtual-machine]] +=== Azure Command Execution on Virtual Machine + +Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but does not allow accessing them or the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles, may be able to execute commands on a VM as well. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://adsecurity.org/?p=4277 +* https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a +* https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-conditional-access-policy-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-conditional-access-policy-modified.asciidoc new file mode 100644 index 0000000000..32cd3ee1ee --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-conditional-access-policy-modified.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-azure-conditional-access-policy-modified]] +=== Azure Conditional Access Policy Modified + +Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(azure.activitylogs or azure.auditlogs) and +event.action:"Update conditional access policy" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-diagnostic-settings-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-diagnostic-settings-deletion.asciidoc new file mode 100644 index 0000000000..a86b4c347d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-diagnostic-settings-deletion.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-azure-diagnostic-settings-deletion]] +=== Azure Diagnostic Settings Deletion + +Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-event-hub-authorization-rule-created-or-updated.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-event-hub-authorization-rule-created-or-updated.asciidoc new file mode 100644 index 0000000000..1cce2a322f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-event-hub-authorization-rule-created-or-updated.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-azure-event-hub-authorization-rule-created-or-updated]] +=== Azure Event Hub Authorization Rule Created or Updated + +Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Cloud Storage Object +** ID: T1530 +** Reference URL: https://attack.mitre.org/techniques/T1530/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-event-hub-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-event-hub-deletion.asciidoc new file mode 100644 index 0000000000..360cf4e08c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-event-hub-deletion.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-azure-event-hub-deletion]] +=== Azure Event Hub Deletion + +Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about +* https://azure.microsoft.com/en-in/services/event-hubs/ +* https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-external-guest-user-invitation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-external-guest-user-invitation.asciidoc new file mode 100644 index 0000000000..d645029246 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-external-guest-user-invitation.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-azure-external-guest-user-invitation]] +=== Azure External Guest User Invitation + +Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0 + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-firewall-policy-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-firewall-policy-deletion.asciidoc new file mode 100644 index 0000000000..ad70375365 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-firewall-policy-deletion.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-azure-firewall-policy-deletion]] +=== Azure Firewall Policy Deletion + +Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers to their objective. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-frontdoor-web-application-firewall-waf-policy-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-frontdoor-web-application-firewall-waf-policy-deleted.asciidoc new file mode 100644 index 0000000000..62b3855727 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-frontdoor-web-application-firewall-waf-policy-deleted.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-azure-frontdoor-web-application-firewall-waf-policy-deleted]] +=== Azure Frontdoor Web Application Firewall (WAF) Policy Deleted + +Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 5 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-full-network-packet-capture-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-full-network-packet-capture-detected.asciidoc new file mode 100644 index 0000000000..588851e209 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-full-network-packet-capture-detected.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-azure-full-network-packet-capture-detected]] +=== Azure Full Network Packet Capture Detected + +Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 4 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name: + ( + "MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION" or + "MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION" or + "MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE" + ) and +event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Network Sniffing +** ID: T1040 +** Reference URL: https://attack.mitre.org/techniques/T1040/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-global-administrator-role-addition-to-pim-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-global-administrator-role-addition-to-pim-user.asciidoc new file mode 100644 index 0000000000..29fb4bfd0c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-global-administrator-role-addition-to-pim-user.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-azure-global-administrator-role-addition-to-pim-user]] +=== Azure Global Administrator Role Addition to PIM User + +Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global Administrator role can read and modify any administrative setting in your Azure AD organization. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and + azure.auditlogs.operation_name:("Add eligible member to role in PIM completed (permanent)" or + "Add member to role in PIM completed (timebound)") and + azure.auditlogs.properties.target_resources.*.display_name:"Global Administrator" and + event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-key-vault-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-key-vault-modified.asciidoc new file mode 100644 index 0000000000..c0014e54e2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-key-vault-modified.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-azure-key-vault-modified]] +=== Azure Key Vault Modified + +Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts +* https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Data Protection + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Credentials In Files +** ID: T1552.001 +** Reference URL: https://attack.mitre.org/techniques/T1552/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-kubernetes-events-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-kubernetes-events-deleted.asciidoc new file mode 100644 index 0000000000..31630a3db8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-kubernetes-events-deleted.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-azure-kubernetes-events-deleted]] +=== Azure Kubernetes Events Deleted + +Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 7 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and +event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-kubernetes-pods-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-kubernetes-pods-deleted.asciidoc new file mode 100644 index 0000000000..94ad66b41e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-kubernetes-pods-deleted.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-7-16-4-azure-kubernetes-pods-deleted]] +=== Azure Kubernetes Pods Deleted + +Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Asset Visibility + +*Version*: 6 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and +event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-kubernetes-rolebindings-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-kubernetes-rolebindings-created.asciidoc new file mode 100644 index 0000000000..2456a75993 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-kubernetes-rolebindings-created.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-azure-kubernetes-rolebindings-created]] +=== Azure Kubernetes Rolebindings Created + +Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +* https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 4 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name: + ("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or + "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and +event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-network-watcher-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-network-watcher-deletion.asciidoc new file mode 100644 index 0000000000..9f24b6c988 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-network-watcher-deletion.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-azure-network-watcher-deletion]] +=== Azure Network Watcher Deletion + +Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Network Security + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-privilege-identity-management-role-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-privilege-identity-management-role-modified.asciidoc new file mode 100644 index 0000000000..1081a915ad --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-privilege-identity-management-role-modified.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-7-16-4-azure-privilege-identity-management-role-modified]] +=== Azure Privilege Identity Management Role Modified + +Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles +* https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Azure Privilege Identity Management Role Modified + +Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and +monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles +such as Global Administrator and Application Administrator. + +This rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough +access to modify role assignment settings. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user? +- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal +time of day? +- Check if this operation was approved and performed according to the organization's change management policy. +- Contact the account owner and confirm whether they are aware of this activity. +- Examine the account's commands, API calls, and data management actions in the last 24 hours. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- If this activity didn't follow your organization's change management policies, it should be reviewed by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other +IAM users. +- Restore the PIM roles to the desired state. +- Consider enabling multi-factor authentication for users. +- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-resource-group-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-resource-group-deletion.asciidoc new file mode 100644 index 0000000000..4313f8d0f5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-resource-group-deletion.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-7-16-4-azure-resource-group-deletion]] +=== Azure Resource Group Deletion + +Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-service-principal-addition.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-service-principal-addition.asciidoc new file mode 100644 index 0000000000..e87eca9d9f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-service-principal-addition.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-7-16-4-azure-service-principal-addition]] +=== Azure Service Principal Addition + +Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ +* https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Azure Service Principal Addition + +Service Principals are identities used by applications, services, and automation tools to access specific resources. +They grant specific access based on the assigned API permissions. Most organizations that work a lot with Azure AD make +use of service principals. Whenever an application is registered, it automatically creates an application object and a +service principal in an Azure AD tenant. + +This rule looks for the addition of service principals. This behavior may enable attackers to impersonate legitimate +service principals to camouflage their activities among noisy automations/apps. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user? +- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal +time of day? +- Check if this operation was approved and performed according to the organization's change management policy. +- Contact the account owner and confirm whether they are aware of this activity. +- Examine the account's commands, API calls, and data management actions in the last 24 hours. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a +combination of user and device conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other +IAM users. +- Consider enabling multi-factor authentication for users. +- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Application Access Token +** ID: T1550.001 +** Reference URL: https://attack.mitre.org/techniques/T1550/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-service-principal-credentials-added.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-service-principal-credentials-added.asciidoc new file mode 100644 index 0000000000..f26cca2bc0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-service-principal-credentials-added.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-azure-service-principal-credentials-added]] +=== Azure Service Principal Credentials Added + +Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Resource Hijacking +** ID: T1496 +** Reference URL: https://attack.mitre.org/techniques/T1496/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-storage-account-key-regenerated.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-storage-account-key-regenerated.asciidoc new file mode 100644 index 0000000000..3b4dd32db0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-storage-account-key-regenerated.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-azure-storage-account-key-regenerated]] +=== Azure Storage Account Key Regenerated + +Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Application Access Token +** ID: T1528 +** Reference URL: https://attack.mitre.org/techniques/T1528/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-virtual-network-device-modified-or-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-virtual-network-device-modified-or-deleted.asciidoc new file mode 100644 index 0000000000..da33029d95 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-azure-virtual-network-device-modified-or-deleted.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-azure-virtual-network-device-modified-or-deleted]] +=== Azure Virtual Network Device Modified or Deleted + +Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Network Security +* Impact + +*Version*: 5 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or +"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE" or "MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE" or +"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION" or "MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE" or +"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE" or "MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE" or +"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE" or "MICROSOFT.NETWORK/VIRTUALHUBS/WRITE" or +"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE" or "MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE") and +event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-binary-executed-from-shared-memory-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-binary-executed-from-shared-memory-directory.asciidoc new file mode 100644 index 0000000000..c1fd80efbd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-binary-executed-from-shared-memory-directory.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-binary-executed-from-shared-memory-directory]] +=== Binary Executed from Shared Memory Directory + +Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://linuxsecurity.com/features/fileless-malware-on-linux +* https://twitter.com/GossiTheDog/status/1522964028284411907 + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Execution +* BPFDoor + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + event.action == "exec" and user.name == "root" and + process.executable : ( + "/dev/shm/*", + "/run/shm/*", + "/var/run/*", + "/var/lock/*" + ) and + not process.executable : ( "/var/run/docker/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-bpf-filter-applied-using-tc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-bpf-filter-applied-using-tc.asciidoc new file mode 100644 index 0000000000..480f9f4c61 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-bpf-filter-applied-using-tc.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-7-16-4-bpf-filter-applied-using-tc]] +=== BPF filter applied using TC + +Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh +* https://man7.org/linux/man-pages/man8/tc.8.html + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Execution +* TripleCross + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-bypass-uac-via-event-viewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-bypass-uac-via-event-viewer.asciidoc new file mode 100644 index 0000000000..e2b502ab21 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-bypass-uac-via-event-viewer.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-7-16-4-bypass-uac-via-event-viewer]] +=== Bypass UAC via Event Viewer + +Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 13 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Bypass UAC via Event Viewer + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +During startup, `eventvwr.exe` checks the registry value of the `HKCU\Software\Classes\mscfile\shell\open\command` +registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location +of another binary or script is added to this registry value, it will be executed as a high-integrity process without a +UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by +`eventvwr.exe` other than `mmc.exe` and `werfault.exe`. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file +modifications, and any spawned child processes. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "eventvwr.exe" and + not process.executable : + ("?:\\Windows\\SysWOW64\\mmc.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\System32\\WerFault.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-chkconfig-service-add.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-chkconfig-service-add.asciidoc new file mode 100644 index 0000000000..1eb0c86b76 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-chkconfig-service-add.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-7-16-4-chkconfig-service-add]] +=== Chkconfig Service Add + +Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-* + +*Severity*: medium + +*Risk score*: 74 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Persistence +* Lightning Framework + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or + (process.args : "*chkconfig" and process.args : "--add") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-clearing-windows-console-history.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-clearing-windows-console-history.asciidoc new file mode 100644 index 0000000000..9a294cf34c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-clearing-windows-console-history.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-7-16-4-clearing-windows-console-history]] +=== Clearing Windows Console History + +Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/ +* https://www.shellhacks.com/clear-history-powershell/ +* https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Clearing Windows Console History + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of +logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the +execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be +trying to cover up. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility. + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and + (process.args : "*Clear-History*" or + (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or + (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Command History +** ID: T1070.003 +** Reference URL: https://attack.mitre.org/techniques/T1070/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-clearing-windows-event-logs.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-clearing-windows-event-logs.asciidoc new file mode 100644 index 0000000000..9345b97921 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-clearing-windows-event-logs.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-7-16-4-clearing-windows-event-logs]] +=== Clearing Windows Event Logs + +Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 16 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Clearing Windows Event Logs + +Windows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries +can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response. + +This rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity +and there are justifications for this action. +- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear +non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider +adding exceptions — preferably with a combination of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. + - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous + actions, if any, are investigated accordingly with their response playbooks. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("process_started", "start") and + (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and + process.args : ("/e:false", "cl", "clear-log") or + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Clear-EventLog" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Windows Event Logs +** ID: T1070.001 +** Reference URL: https://attack.mitre.org/techniques/T1070/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-command-execution-via-solarwinds-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-command-execution-via-solarwinds-process.asciidoc new file mode 100644 index 0000000000..5bca46b78c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-command-execution-via-solarwinds-process.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-7-16-4-command-execution-via-solarwinds-process]] +=== Command Execution via SolarWinds Process + +A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html +* https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.name: ("cmd.exe", "powershell.exe") and +process.parent.name: ( + "ConfigurationWizard*.exe", + "NetflowDatabaseMaintenance*.exe", + "NetFlowService*.exe", + "SolarWinds.Administration*.exe", + "SolarWinds.Collector.Service*.exe", + "SolarwindsDiagnostics*.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Supply Chain Compromise +** ID: T1195 +** Reference URL: https://attack.mitre.org/techniques/T1195/ +* Sub-technique: +** Name: Compromise Software Supply Chain +** ID: T1195.002 +** Reference URL: https://attack.mitre.org/techniques/T1195/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-command-shell-activity-started-via-rundll32.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-command-shell-activity-started-via-rundll32.asciidoc new file mode 100644 index 0000000000..9a5b55c4ca --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-command-shell-activity-started-via-rundll32.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-command-shell-activity-started-via-rundll32]] +=== Command Shell Activity Started via RunDLL32 + +Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.name : ("cmd.exe", "powershell.exe") and + process.parent.name : "rundll32.exe" and process.parent.command_line != null and + /* common FPs can be added here */ + not process.parent.args : ("C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL", + "C:\\WINDOWS\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-component-object-model-hijacking.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-component-object-model-hijacking.asciidoc new file mode 100644 index 0000000000..8f86ed4e61 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-component-object-model-hijacking.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-7-16-4-component-object-model-hijacking]] +=== Component Object Model Hijacking + +Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Component Object Model Hijacking + +Adversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file referenced in the registry and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where + (registry.path : "HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and + not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") + or + /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ + (registry.path : ("HKEY_USERS\\*Classes\\*\\InprocServer32\\", + "HKEY_USERS\\*Classes\\*\\LocalServer32\\", + "HKEY_USERS\\*Classes\\*\\DelegateExecute\\", + "HKEY_USERS\\*Classes\\*\\TreatAs\\", + "HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and + not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and + registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\") and + /* not necessary but good for filtering privileged installations */ + user.domain != "NT AUTHORITY" + ) and + /* removes false-positives generated by OneDrive and Teams */ + not process.name : ("OneDrive.exe","OneDriveSetup.exe","FileSyncConfig.exe","Teams.exe") and + /* Teams DLL loaded by regsvr */ + not (process.name: "regsvr32.exe" and + registry.data.strings : "*Microsoft.Teams.*.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-conhost-spawned-by-suspicious-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-conhost-spawned-by-suspicious-parent-process.asciidoc new file mode 100644 index 0000000000..1d6731d2bd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-conhost-spawned-by-suspicious-parent-process.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-7-16-4-conhost-spawned-by-suspicious-parent-process]] +=== Conhost Spawned By Suspicious Parent Process + +Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Conhost Spawned By Suspicious Parent Process + +The Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as +the classic Windows user interface for working with command-line applications. + +Attackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and +`PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into +legitimate system processes. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Retrieve the parent process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26 +- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : "conhost.exe" and + process.parent.name : ("svchost.exe", "lsass.exe", "services.exe", "smss.exe", "winlogon.exe", "explorer.exe", + "dllhost.exe", "rundll32.exe", "regsvr32.exe", "userinit.exe", "wininit.exe", "spoolsv.exe", + "wermgr.exe", "csrss.exe", "ctfmon.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-connection-to-commonly-abused-free-ssl-certificate-providers.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-connection-to-commonly-abused-free-ssl-certificate-providers.asciidoc new file mode 100644 index 0000000000..d5849677fd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-connection-to-commonly-abused-free-ssl-certificate-providers.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-7-16-4-connection-to-commonly-abused-free-ssl-certificate-providers]] +=== Connection to Commonly Abused Free SSL Certificate Providers + +Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Command and Control + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +network where network.protocol == "dns" and + /* Add new free SSL certificate provider domains here */ + dns.question.name : ("*letsencrypt.org", "*.sslforfree.com", "*.zerossl.com", "*.freessl.org") and + + /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */ + process.executable : ("C:\\Windows\\System32\\*.exe", + "C:\\Windows\\System\\*.exe", + "C:\\Windows\\SysWOW64\\*.exe", + "C:\\Windows\\Microsoft.NET\\Framework*\\*.exe", + "C:\\Windows\\explorer.exe", + "C:\\Windows\\notepad.exe") and + + /* Insert noisy false positives here */ + not process.name : ("svchost.exe", "MicrosoftEdge*.exe", "msedge.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Encrypted Channel +** ID: T1573 +** Reference URL: https://attack.mitre.org/techniques/T1573/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-control-panel-process-with-unusual-arguments.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-control-panel-process-with-unusual-arguments.asciidoc new file mode 100644 index 0000000000..3bde478c83 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-control-panel-process-with-unusual-arguments.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-7-16-4-control-panel-process-with-unusual-arguments]] +=== Control Panel Process with Unusual Arguments + +Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.joesandbox.com/analysis/476188/1/html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.executable : ("?:\\Windows\\SysWOW64\\control.exe", "?:\\Windows\\System32\\control.exe") and + process.command_line : + ("*.jpg*", + "*.png*", + "*.gif*", + "*.bmp*", + "*.jpeg*", + "*.TIFF*", + "*.inf*", + "*.cpl:*/*", + "*../../..*", + "*/AppData/Local/*", + "*:\\Users\\Public\\*", + "*\\AppData\\Local\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Control Panel +** ID: T1218.002 +** Reference URL: https://attack.mitre.org/techniques/T1218/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-a-hidden-local-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-a-hidden-local-user-account.asciidoc new file mode 100644 index 0000000000..1b84af5b39 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-a-hidden-local-user-account.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-7-16-4-creation-of-a-hidden-local-user-account]] +=== Creation of a Hidden Local User Account + +Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html +* https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Creation of a Hidden Local User Account + +Attackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and +bypass detections that identify computer accounts by this pattern to apply filters. + +This rule uses registry events to identify the creation of local hidden accounts. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Delete the hidden account. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where registry.path : "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-files-and-directories-via-commandline.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-files-and-directories-via-commandline.asciidoc new file mode 100644 index 0000000000..3b8172989c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-files-and-directories-via-commandline.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-creation-of-hidden-files-and-directories-via-commandline]] +=== Creation of Hidden Files and Directories via CommandLine + +Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Defense Evasion + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and + process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and + not process.name in ("ls", "find", "grep") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-launch-agent-or-daemon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-launch-agent-or-daemon.asciidoc new file mode 100644 index 0000000000..df97762099 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-launch-agent-or-daemon.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-7-16-4-creation-of-hidden-launch-agent-or-daemon]] +=== Creation of Hidden Launch Agent or Daemon + +Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and + file.path : + ( + "/System/Library/LaunchAgents/.*.plist", + "/Library/LaunchAgents/.*.plist", + "/Users/*/Library/LaunchAgents/.*.plist", + "/System/Library/LaunchDaemons/.*.plist", + "/Library/LaunchDaemons/.*.plist" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Launch Agent +** ID: T1543.001 +** Reference URL: https://attack.mitre.org/techniques/T1543/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-login-item-via-apple-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-login-item-via-apple-script.asciidoc new file mode 100644 index 0000000000..8edaafd314 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-login-item-via-apple-script.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-7-16-4-creation-of-hidden-login-item-via-apple-script]] +=== Creation of Hidden Login Item via Apple Script + +Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence +* Execution + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*login item*hidden:true*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Plist Modification +** ID: T1547.011 +** Reference URL: https://attack.mitre.org/techniques/T1547/011/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: AppleScript +** ID: T1059.002 +** Reference URL: https://attack.mitre.org/techniques/T1059/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-shared-object-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-shared-object-file.asciidoc new file mode 100644 index 0000000000..20a5dab798 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-of-hidden-shared-object-file.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-creation-of-hidden-shared-object-file]] +=== Creation of Hidden Shared Object File + +Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Defense Evasion + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action : "creation" and file.extension == "so" and file.name : ".*.so" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc new file mode 100644 index 0000000000..27e8db0548 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-creation-or-modification-of-a-new-gpo-scheduled-task-or-service]] +=== Creation or Modification of a new GPO Scheduled Task or Service + +Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and + file.path : ("?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml", + "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Preferences\\Services\\Services.xml") and + not process.name : "dfsrs.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc new file mode 100644 index 0000000000..af0585d981 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-7-16-4-creation-or-modification-of-domain-backup-dpapi-private-key]] +=== Creation or Modification of Domain Backup DPAPI private key + +Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/ +* https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys. + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Private Keys +** ID: T1552.004 +** Reference URL: https://attack.mitre.org/techniques/T1552/004/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-or-modification-of-root-certificate.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-or-modification-of-root-certificate.asciidoc new file mode 100644 index 0000000000..05ef4fd094 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-creation-or-modification-of-root-certificate.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-7-16-4-creation-or-modification-of-root-certificate]] +=== Creation or Modification of Root Certificate + +Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec +* https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Creation or Modification of Root Certificate + +Root certificates are the primary level of certifications that tell a browser that the communication is trusted and +legitimate. This verification is based upon the identification of a certification authority. Windows +adds several trusted root certificates so browsers can use them to communicate with websites. + +[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography. + +This rule identifies the creation or modification of a root certificate by monitoring registry modifications. The +installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid +signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file +modifications, and any spawned child processes. +- If one of the processes is suspicious, retrieve it and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting +SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove the malicious certificate from the root certificate store. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type in ("creation", "change") and + registry.path : + ( + "HKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", + "HKLM\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob", + "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", + "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Subvert Trust Controls +** ID: T1553 +** Reference URL: https://attack.mitre.org/techniques/T1553/ +* Sub-technique: +** Name: Install Root Certificate +** ID: T1553.004 +** Reference URL: https://attack.mitre.org/techniques/T1553/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-acquisition-via-registry-hive-dumping.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-acquisition-via-registry-hive-dumping.asciidoc new file mode 100644 index 0000000000..7a88bde055 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-acquisition-via-registry-hive-dumping.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-7-16-4-credential-acquisition-via-registry-hive-dumping]] +=== Credential Acquisition via Registry Hive Dumping + +Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Credential Acquisition via Registry Hive Dumping + +Dumping registry hives is a common way to access credential information as some hives store credential material. + +For example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached +credentials (LSA secrets). + +Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets. + +This rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the +compromise of the credentials stored in the host. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate if the credential material was exfiltrated or processed locally by other tools. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target +host. + +### False positive analysis + +- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether +the user is legitamitely performing this kind of activity. + +### Related rules + +- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.pe.original_file_name == "reg.exe" and + process.args : ("save", "export") and + process.args : ("hklm\\sam", "hklm\\security") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: LSA Secrets +** ID: T1003.004 +** Reference URL: https://attack.mitre.org/techniques/T1003/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-dumping-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-dumping-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..fd714bbd03 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-dumping-detected-elastic-endgame.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-7-16-4-credential-dumping-detected-elastic-endgame]] +=== Credential Dumping - Detected - Elastic Endgame + +Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame +* Threat Detection +* Credential Access + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-dumping-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-dumping-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..a5c70d0e52 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-dumping-prevented-elastic-endgame.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-7-16-4-credential-dumping-prevented-elastic-endgame]] +=== Credential Dumping - Prevented - Elastic Endgame + +Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame +* Threat Detection +* Credential Access + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-manipulation-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-manipulation-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..4843158484 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-manipulation-detected-elastic-endgame.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-7-16-4-credential-manipulation-detected-elastic-endgame]] +=== Credential Manipulation - Detected - Elastic Endgame + +Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame +* Threat Detection +* Privilege Escalation + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-manipulation-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-manipulation-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..77b8d3e32c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-credential-manipulation-prevented-elastic-endgame.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-7-16-4-credential-manipulation-prevented-elastic-endgame]] +=== Credential Manipulation - Prevented - Elastic Endgame + +Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame +* Threat Detection +* Privilege Escalation + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-cyberark-privileged-access-security-error.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-cyberark-privileged-access-security-error.asciidoc new file mode 100644 index 0000000000..27ec9ba88c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-cyberark-privileged-access-security-error.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-7-16-4-cyberark-privileged-access-security-error]] +=== CyberArk Privileged Access Security Error + +Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-cyberarkpas.audit* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3 + +*Tags*: + +* Elastic +* cyberarkpas +* SecOps +* Log Auditing +* Threat Detection +* Privilege Escalation + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis + +This is a promotion rule for CyberArk error events, which are alertable events per the vendor. +Consult vendor documentation on interpreting specific events. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:cyberarkpas.audit and event.type:error + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-cyberark-privileged-access-security-recommended-monitor.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-cyberark-privileged-access-security-recommended-monitor.asciidoc new file mode 100644 index 0000000000..dcb7e8362b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-cyberark-privileged-access-security-recommended-monitor.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-cyberark-privileged-access-security-recommended-monitor]] +=== CyberArk Privileged Access Security Recommended Monitor + +Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-cyberarkpas.audit* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring + +*Tags*: + +* Elastic +* cyberarkpas +* SecOps +* Log Auditing +* Threat Detection +* Privilege Escalation + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis + +This is a promotion rule for CyberArk events, which the vendor recommends should be monitored. +Consult vendor documentation on interpreting specific events. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:cyberarkpas.audit and + event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or + 308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and + not event.type:error + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-delete-volume-usn-journal-with-fsutil.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-delete-volume-usn-journal-with-fsutil.asciidoc new file mode 100644 index 0000000000..785014b30b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-delete-volume-usn-journal-with-fsutil.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-delete-volume-usn-journal-with-fsutil]] +=== Delete Volume USN Journal with Fsutil + +Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 13 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and + process.args : "deletejournal" and process.args : "usn" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: File Deletion +** ID: T1070.004 +** Reference URL: https://attack.mitre.org/techniques/T1070/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-deleting-backup-catalogs-with-wbadmin.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-deleting-backup-catalogs-with-wbadmin.asciidoc new file mode 100644 index 0000000000..b195d31173 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-deleting-backup-catalogs-with-wbadmin.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-7-16-4-deleting-backup-catalogs-with-wbadmin]] +=== Deleting Backup Catalogs with Wbadmin + +Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Impact + +*Version*: 15 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Deleting Backup Catalogs with Wbadmin + +Windows Server Backup stores the details about your backups (what volumes are backed up and where the backups are +located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. +Deleting these files is a common step in threat actor playbooks. + +This rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check if any files on the host machine have been encrypted. + +### False positive analysis + +- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate. + +### Related rules + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look +for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "wbadmin.exe" or process.pe.original_file_name == "WBADMIN.EXE") and + process.args : "catalog" and process.args : "delete" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-direct-outbound-smb-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-direct-outbound-smb-connection.asciidoc new file mode 100644 index 0000000000..19cf5caada --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-direct-outbound-smb-connection.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-7-16-4-direct-outbound-smb-connection]] +=== Direct Outbound SMB Connection + +Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Direct Outbound SMB Connection + +This rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically +implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these +network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate +port scanners, exploits, and tools used to move laterally on the environment. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file +modifications, and any spawned child processes. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination +of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where event.type == "start" and process.pid != 4] + [network where destination.port == 445 and process.pid != 4 and + not cidrmatch(destination.ip, "127.0.0.1", "::1")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc new file mode 100644 index 0000000000..96e3b68022 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-7-16-4-disable-windows-event-and-security-logs-using-built-in-tools]] +=== Disable Windows Event and Security Logs Using Built-in Tools + +Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman +* https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic +* Ivan Ninichuck +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disable Windows Event and Security Logs Using Built-in Tools + +Windows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries +can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response. + +This rule looks for the usage of different utilities to disable the EventLog service or specific event logs. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Re-enable affected logging components, services, and security monitoring. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + + ((process.name:"logman.exe" or process.pe.original_file_name == "Logman.exe") and + process.args : "EventLog-*" and process.args : ("stop", "delete")) or + + ((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or process.pe.original_file_name in + ("pwsh.exe", "powershell.exe", "powershell_ise.exe")) and + process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled") or + + ((process.name:"auditpol.exe" or process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Windows Event Logs +** ID: T1070.001 +** Reference URL: https://attack.mitre.org/techniques/T1070/001/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disable-windows-firewall-rules-via-netsh.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disable-windows-firewall-rules-via-netsh.asciidoc new file mode 100644 index 0000000000..b6fe542648 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disable-windows-firewall-rules-via-netsh.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-7-16-4-disable-windows-firewall-rules-via-netsh]] +=== Disable Windows Firewall Rules via Netsh + +Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 15 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disable Windows Firewall Rules via Netsh + +The Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a +device, and blocks unauthorized network traffic flowing into or out of the local device. + +Attackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity. + +This rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user to check if they are aware of the operation. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing +troubleshooting. +- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : "netsh.exe" and + (process.args : "disable" and process.args : "firewall" and process.args : "set") or + (process.args : "advfirewall" and process.args : "off" and process.args : "state") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disabling-user-account-control-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disabling-user-account-control-via-registry-modification.asciidoc new file mode 100644 index 0000000000..6a4a036fdd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disabling-user-account-control-via-registry-modification.asciidoc @@ -0,0 +1,99 @@ +[[prebuilt-rule-7-16-4-disabling-user-account-control-via-registry-modification]] +=== Disabling User Account Control via Registry Modification + +User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.greyhathacker.net/?p=796 +* https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings +* https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type == "change" and + registry.path : + ( + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop" + ) and + registry.data.strings : ("0", "0x00000000") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disabling-windows-defender-security-settings-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disabling-windows-defender-security-settings-via-powershell.asciidoc new file mode 100644 index 0000000000..2a78af913a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-disabling-windows-defender-security-settings-via-powershell.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-7-16-4-disabling-windows-defender-security-settings-via-powershell]] +=== Disabling Windows Defender Security Settings via PowerShell + +Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disabling Windows Defender Security Settings via PowerShell + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple +environments. Disabling it is a common step in threat actor playbooks. + +This rule monitors the execution of commands that can tamper the Windows Defender antivirus features. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate +software installations. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, +sample submission, etc. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, +the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), +and no other suspicious activity has been observed. + +### Related rules + +- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and + process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dns-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dns-activity-to-the-internet.asciidoc new file mode 100644 index 0000000000..958f370c51 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dns-activity-to-the-internet.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-7-16-4-dns-activity-to-the-internet]] +=== DNS Activity to the Internet + +This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and it opens your network to a variety of abuses and malicious communications. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.us-cert.gov/ncas/alerts/TA15-240A +* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Network +* Threat Detection +* Command and Control +* Host + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) + and source.ip:( + 10.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16 + ) and + not destination.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.2.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.168.0.0/16 or + 192.88.99.0/24 or + 224.0.0.0/4 or + 100.64.0.0/10 or + 192.175.48.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dns-over-https-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dns-over-https-enabled-via-registry.asciidoc new file mode 100644 index 0000000000..2d57839267 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dns-over-https-enabled-via-registry.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-dns-over-https-enabled-via-registry]] +=== DNS-over-HTTPS Enabled via Registry + +Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html +* https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type in ("creation", "change") and + (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and + registry.data.strings : "1") or + (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and + registry.data.strings : "secure") or + (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and + registry.data.strings : "1") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dns-tunneling.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dns-tunneling.asciidoc new file mode 100644 index 0000000000..9bc1c8a69f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dns-tunneling.asciidoc @@ -0,0 +1,50 @@ +[[prebuilt-rule-7-16-4-dns-tunneling]] +=== DNS Tunneling + +A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Network +* Threat Detection +* ML +* Command and Control + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-domain-added-to-google-workspace-trusted-domains.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-domain-added-to-google-workspace-trusted-domains.asciidoc new file mode 100644 index 0000000000..06a3c48d20 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-domain-added-to-google-workspace-trusted-domains.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-domain-added-to-google-workspace-trusted-domains]] +=== Domain Added to Google Workspace Trusted Domains + +Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/6160020?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dumping-of-keychain-content-via-security-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dumping-of-keychain-content-via-security-command.asciidoc new file mode 100644 index 0000000000..11d878da85 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dumping-of-keychain-content-via-security-command.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-dumping-of-keychain-content-via-security-command]] +=== Dumping of Keychain Content via Security Command + +Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://ss64.com/osx/security.html + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Credential Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dynamic-linker-copy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dynamic-linker-copy.asciidoc new file mode 100644 index 0000000000..40709cddbb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-dynamic-linker-copy.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-7-16-4-dynamic-linker-copy]] +=== Dynamic Linker Copy + +Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. + +*Rule type*: eql + +*Rule indices*: + +* logs-* + +*Severity*: high + +*Risk score*: 85 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Persistence +* Orbit + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m +[process where event.type == "start" and process.name : ("cp", "rsync") and process.args : ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload")] +[file where event.action == "creation" and file.extension == "so"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-eggshell-backdoor-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-eggshell-backdoor-execution.asciidoc new file mode 100644 index 0000000000..1b2a307fe4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-eggshell-backdoor-execution.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-7-16-4-eggshell-backdoor-execution]] +=== EggShell Backdoor Execution + +Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/neoneggplant/EggShell + +*Tags*: + +* Elastic +* Host +* Linux +* macOS +* Threat Detection +* Execution + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Python +** ID: T1059.006 +** Reference URL: https://attack.mitre.org/techniques/T1059/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-elastic-agent-service-terminated.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-elastic-agent-service-terminated.asciidoc new file mode 100644 index 0000000000..4c063e95fb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-elastic-agent-service-terminated.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-7-16-4-elastic-agent-service-terminated]] +=== Elastic Agent Service Terminated + +Identifies the {agent} has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state. + +*Rule type*: eql + +*Rule indices*: + +* logs-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* Windows +* macOS +* Threat Detection +* Defense Evasion + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where +/* net, sc or wmic stopping or deleting Elastic Agent on Windows */ +(event.type == "start" and + process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and + process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and + process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint")) +or +/* service or systemctl used to stop Elastic Agent on Linux */ +(event.type == "end" and + (process.name : ("systemctl", "service") and + process.args : "elastic-agent" and + process.args : "stop") + or + /* Unload Elastic Agent extension on MacOS */ + (process.name : "kextunload" and + process.args : "com.apple.iokit.EndpointSecurity" and + event.action : "end")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-emond-rules-creation-or-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-emond-rules-creation-or-modification.asciidoc new file mode 100644 index 0000000000..9f9e0b5c51 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-emond-rules-creation-or-modification.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-emond-rules-creation-or-modification]] +=== Emond Rules Creation or Modification + +Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.xorrior.com/emond-persistence/ +* https://www.sentinelone.com/blog/how-malware-persists-on-macos/ + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and + file.path : ("/private/etc/emond.d/rules/*.plist", "/etc/emon.d/rules/*.plist", "/private/var/db/emondClients/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Emond +** ID: T1546.014 +** Reference URL: https://attack.mitre.org/techniques/T1546/014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enable-host-network-discovery-via-netsh.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enable-host-network-discovery-via-netsh.asciidoc new file mode 100644 index 0000000000..f520d04b67 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enable-host-network-discovery-via-netsh.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-7-16-4-enable-host-network-discovery-via-netsh]] +=== Enable Host Network Discovery via Netsh + +Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Enable Host Network Discovery via Netsh + +The Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a +device and blocks unauthorized network traffic flowing into or out of the local device. + +Attackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems +with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify +targets for lateral movement. This rule looks for the setup of this setting using the netsh utility. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity +and there are justifications for this configuration. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Disable Network Discovery: + - Using netsh: `netsh advfirewall firewall set rule group="Network Discovery" new enable=No` +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and +process.name : "netsh.exe" and +process.args : ("firewall", "advfirewall") and process.args : "group=Network Discovery" and process.args : "enable=Yes" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-encrypting-files-with-winrar-or-7z.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-encrypting-files-with-winrar-or-7z.asciidoc new file mode 100644 index 0000000000..65d9de0ecb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-encrypting-files-with-winrar-or-7z.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-7-16-4-encrypting-files-with-winrar-or-7z]] +=== Encrypting Files with WinRar or 7z + +Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Collection + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Encrypting Files with WinRar or 7z + +Attackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the +collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is +being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender. + +These steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Retrieve the encrypted file. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if the password used in the encryption was included in the command line. +- Decrypt the `.rar`/`.zip` and check if the information is sensitive. +- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the +file names included in the encrypted file. +- Investigate if the file was transferred to an attacker-controlled server. + +### False positive analysis + +- Backup software can use these utilities. Check the `process.parent.executable` and +`process.parent.command_line` fields to determine what triggered the encryption. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Prioritize cases that involve personally identifiable information (PII) or other classified data. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ((process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or + process.pe.original_file_name == "Command line RAR") and + process.args == "a" and process.args : ("-hp*", "-p*", "-dw", "-tb", "-ta", "/hp*", "/p*", "/dw", "/tb", "/ta")) + + or + (process.pe.original_file_name in ("7z.exe", "7za.exe") and + process.args == "a" and process.args : ("-p*", "-sdel")) + + /* uncomment if noisy for backup software related FPs */ + /* not process.parent.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Archive Collected Data +** ID: T1560 +** Reference URL: https://attack.mitre.org/techniques/T1560/ +* Sub-technique: +** Name: Archive via Utility +** ID: T1560.001 +** Reference URL: https://attack.mitre.org/techniques/T1560/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumerating-domain-trusts-via-nltest-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumerating-domain-trusts-via-nltest-exe.asciidoc new file mode 100644 index 0000000000..b2565ec2b9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumerating-domain-trusts-via-nltest-exe.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-enumerating-domain-trusts-via-nltest-exe]] +=== Enumerating Domain Trusts via NLTEST.EXE + +Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 23 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +* https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : "nltest.exe" and process.args : ( + "/DCLIST:*", "/DCNAME:*", "/DSGET*", + "/LSAQUERYFTI:*", "/PARENTDOMAIN", + "/DOMAIN_TRUSTS", "/BDC_QUERY:*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-command-spawned-via-wmiprvse.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-command-spawned-via-wmiprvse.asciidoc new file mode 100644 index 0000000000..d5b4df1a76 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-command-spawned-via-wmiprvse.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-7-16-4-enumeration-command-spawned-via-wmiprvse]] +=== Enumeration Command Spawned via WMIPrvSE + +Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE). + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name: + ( + "arp.exe", + "dsquery.exe", + "dsget.exe", + "gpresult.exe", + "hostname.exe", + "ipconfig.exe", + "nbtstat.exe", + "net.exe", + "net1.exe", + "netsh.exe", + "netstat.exe", + "nltest.exe", + "ping.exe", + "qprocess.exe", + "quser.exe", + "qwinsta.exe", + "reg.exe", + "sc.exe", + "systeminfo.exe", + "tasklist.exe", + "tracert.exe", + "whoami.exe" + ) and + process.parent.name:"wmiprvse.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-of-administrator-accounts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-of-administrator-accounts.asciidoc new file mode 100644 index 0000000000..77be5dce11 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-of-administrator-accounts.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-7-16-4-enumeration-of-administrator-accounts]] +=== Enumeration of Administrator Accounts + +Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Enumeration of Administrator Accounts + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups +in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such +as mapping targets for credential compromise and other post-exploitation activities. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or + ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and + not process.parent.name : "net.exe")) and + process.args : ("group", "user", "localgroup") and + process.args : ("admin", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management") and + not process.args : "/add") + + or + + ((process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and + process.args : ("group", "useraccount")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Domain Groups +** ID: T1069.002 +** Reference URL: https://attack.mitre.org/techniques/T1069/002/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-of-privileged-local-groups-membership.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-of-privileged-local-groups-membership.asciidoc new file mode 100644 index 0000000000..86369dc5b6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-of-privileged-local-groups-membership.asciidoc @@ -0,0 +1,185 @@ +[[prebuilt-rule-7-16-4-enumeration-of-privileged-local-groups-membership]] +=== Enumeration of Privileged Local Groups Membership + +Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: medium + +*Risk score*: 43 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Enumeration of Privileged Local Groups Membership + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known +legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, +such as mapping targets for credential compromise and other post-exploitation activities. + +#### Possible investigation steps + +- Identify the process, host and user involved on the event. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. +- Retrieve the process executable and determine if it is malicious: + - Check if the file belongs to the operating system or has a valid digital signature. + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination +of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'Audit Security Group Management' audit policy must be configured (Success). +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Account Management > +Audit Security Group Management (Success) +``` + +Microsoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +iam where event.action == "user-member-enumerated" and + + /* excluding machine account */ + not winlog.event_data.SubjectUserName: ("*$", "LOCAL SERVICE", "NETWORK SERVICE") and + + /* noisy and usual legit processes excluded */ + not winlog.event_data.CallerProcessName: + ("-", + "?:\\Windows\\System32\\VSSVC.exe", + "?:\\Windows\\System32\\SearchIndexer.exe", + "?:\\Windows\\System32\\CompatTelRunner.exe", + "?:\\Windows\\System32\\oobe\\msoobe.exe", + "?:\\Windows\\System32\\net1.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\Netplwiz.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\SysWOW64\\msiexec.exe", + "?:\\Windows\\System32\\CloudExperienceHostBroker.exe", + "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "?:\\Windows\\System32\\SrTasks.exe", + "?:\\Windows\\System32\\lsass.exe", + "?:\\Windows\\System32\\diskshadow.exe", + "?:\\Windows\\System32\\dfsrs.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\WindowsAzure\\*\\WaAppAgent.exe", + "?:\\Windows\\System32\\vssadmin.exe", + "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe", + "?:\\Windows\\System32\\dllhost.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Windows\\System32\\SettingSyncHost.exe", + "?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", + "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", + "?:\\Windows\\Temp\\rubrik_vmware???\\snaptool.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe", + "?:\\$WINDOWS.~BT\\Sources\\*.exe", + "?:\\Windows\\System32\\wsmprovhost.exe", + "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\x3jobt3?.exe", + "?:\\Windows\\System32\\mstsc.exe", + "?:\\Windows\\System32\\esentutl.exe", + "?:\\Windows\\System32\\RecoveryDrive.exe", + "?:\\Windows\\System32\\SystemPropertiesComputerName.exe") and + + /* privileged local groups */ + (group.name:("admin*","RemoteDesktopUsers") or + winlog.event_data.TargetSid:("S-1-5-32-544","S-1-5-32-555")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-of-users-or-groups-via-built-in-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-of-users-or-groups-via-built-in-commands.asciidoc new file mode 100644 index 0000000000..2e294a4de4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-enumeration-of-users-or-groups-via-built-in-commands.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-7-16-4-enumeration-of-users-or-groups-via-built-in-commands]] +=== Enumeration of Users or Groups via Built-in Commands + +Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Discovery + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ( + process.name : ("ldapsearch", "dsmemberutil") or + (process.name : "dscl" and + process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and + process.args : ("/Active Directory/*", "/Users*", "/Groups*")) + ) and + not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", + "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence", + "/Applications/Sourcetree.app/Contents/MacOS/Sourcetree", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", + "/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect", + "/usr/local/jamf/bin/jamf", + "/Library/Application Support/AirWatch/hubd", + "/opt/jc/bin/jumpcloud-agent", + "/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon", + "/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon", + "/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-executable-file-creation-with-multiple-extensions.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-executable-file-creation-with-multiple-extensions.asciidoc new file mode 100644 index 0000000000..8807148b22 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-executable-file-creation-with-multiple-extensions.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-7-16-4-executable-file-creation-with-multiple-extensions]] +=== Executable File Creation with Multiple Extensions + +Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "creation" and file.extension : "exe" and + file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and + not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and + file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and + not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Double File Extension +** ID: T1036.007 +** Reference URL: https://attack.mitre.org/techniques/T1036/007/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-from-unusual-directory-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-from-unusual-directory-command-line.asciidoc new file mode 100644 index 0000000000..5f86e4b60a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-from-unusual-directory-command-line.asciidoc @@ -0,0 +1,193 @@ +[[prebuilt-rule-7-16-4-execution-from-unusual-directory-command-line]] +=== Execution from Unusual Directory - Command Line + +Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +This is related to the `Process Execution from an Unusual Directory rule`. + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started", "info") and + process.name : ("wscript.exe", + "cscript.exe", + "rundll32.exe", + "regsvr32.exe", + "cmstp.exe", + "RegAsm.exe", + "installutil.exe", + "mshta.exe", + "RegSvcs.exe", + "powershell.exe", + "pwsh.exe", + "cmd.exe") and + + /* add suspicious execution paths here */ + process.args : ("C:\\PerfLogs\\*", + "C:\\Users\\Public\\*", + "C:\\Windows\\Tasks\\*", + "C:\\Intel\\*", + "C:\\AMD\\Temp\\*", + "C:\\Windows\\AppReadiness\\*", + "C:\\Windows\\ServiceState\\*", + "C:\\Windows\\security\\*", + "C:\\Windows\\IdentityCRL\\*", + "C:\\Windows\\Branding\\*", + "C:\\Windows\\csc\\*", + "C:\\Windows\\DigitalLocker\\*", + "C:\\Windows\\en-US\\*", + "C:\\Windows\\wlansvc\\*", + "C:\\Windows\\Prefetch\\*", + "C:\\Windows\\Fonts\\*", + "C:\\Windows\\diagnostics\\*", + "C:\\Windows\\TAPI\\*", + "C:\\Windows\\INF\\*", + "C:\\Windows\\System32\\Speech\\*", + "C:\\windows\\tracing\\*", + "c:\\windows\\IME\\*", + "c:\\Windows\\Performance\\*", + "c:\\windows\\intel\\*", + "c:\\windows\\ms\\*", + "C:\\Windows\\dot3svc\\*", + "C:\\Windows\\panther\\*", + "C:\\Windows\\RemotePackages\\*", + "C:\\Windows\\OCR\\*", + "C:\\Windows\\appcompat\\*", + "C:\\Windows\\apppatch\\*", + "C:\\Windows\\addins\\*", + "C:\\Windows\\Setup\\*", + "C:\\Windows\\Help\\*", + "C:\\Windows\\SKB\\*", + "C:\\Windows\\Vss\\*", + "C:\\Windows\\servicing\\*", + "C:\\Windows\\CbsTemp\\*", + "C:\\Windows\\Logs\\*", + "C:\\Windows\\WaaS\\*", + "C:\\Windows\\twain_32\\*", + "C:\\Windows\\ShellExperiences\\*", + "C:\\Windows\\ShellComponents\\*", + "C:\\Windows\\PLA\\*", + "C:\\Windows\\Migration\\*", + "C:\\Windows\\debug\\*", + "C:\\Windows\\Cursors\\*", + "C:\\Windows\\Containers\\*", + "C:\\Windows\\Boot\\*", + "C:\\Windows\\bcastdvr\\*", + "C:\\Windows\\TextInput\\*", + "C:\\Windows\\security\\*", + "C:\\Windows\\schemas\\*", + "C:\\Windows\\SchCache\\*", + "C:\\Windows\\Resources\\*", + "C:\\Windows\\rescache\\*", + "C:\\Windows\\Provisioning\\*", + "C:\\Windows\\PrintDialog\\*", + "C:\\Windows\\PolicyDefinitions\\*", + "C:\\Windows\\media\\*", + "C:\\Windows\\Globalization\\*", + "C:\\Windows\\L2Schemas\\*", + "C:\\Windows\\LiveKernelReports\\*", + "C:\\Windows\\ModemLogs\\*", + "C:\\Windows\\ImmersiveControlPanel\\*", + "C:\\$Recycle.Bin\\*") and + + /* noisy FP patterns */ + + not process.parent.executable : ("C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\*\\igfxCUIService*.exe", + "C:\\Windows\\System32\\spacedeskService.exe", + "C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe") and + not (process.name : "rundll32.exe" and + process.args : ("uxtheme.dll,#64", + "PRINTUI.DLL,PrintUIEntry", + "?:\\Windows\\System32\\FirewallControlPanel.dll,ShowNotificationDialog", + "?:\\WINDOWS\\system32\\Speech\\SpeechUX\\sapi.cpl", + "?:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL")) and + + not (process.name : "cscript.exe" and process.args : "?:\\WINDOWS\\system32\\calluxxprovider.vbs") and + + not (process.name : "cmd.exe" and process.args : "?:\\WINDOWS\\system32\\powercfg.exe" and process.args : "?:\\WINDOWS\\inf\\PowerPlan.log") and + + not (process.name : "regsvr32.exe" and process.args : "?:\\Windows\\Help\\OEM\\scripts\\checkmui.dll") and + + not (process.name : "cmd.exe" and + process.parent.executable : ("?:\\Windows\\System32\\oobe\\windeploy.exe", + "?:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe", + "?:\\Windows\\System32\\igfxCUIService.exe", + "?:\\Windows\\Temp\\IE*.tmp\\IE*-support\\ienrcore.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-of-com-object-via-xwizard.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-of-com-object-via-xwizard.asciidoc new file mode 100644 index 0000000000..dcecea8a04 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-of-com-object-via-xwizard.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-execution-of-com-object-via-xwizard]] +=== Execution of COM object via Xwizard + +Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ +* http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.pe.original_file_name : "xwizard.exe" and + ( + (process.args : "RunWizard" and process.args : "{*}") or + (process.executable != null and + not process.executable : ("C:\\Windows\\SysWOW64\\xwizard.exe", "C:\\Windows\\System32\\xwizard.exe") + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-via-local-sxs-shared-module.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-via-local-sxs-shared-module.asciidoc new file mode 100644 index 0000000000..242d6a81ff --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-via-local-sxs-shared-module.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-execution-via-local-sxs-shared-module]] +=== Execution via local SxS Shared Module + +Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory. + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Shared Modules +** ID: T1129 +** Reference URL: https://attack.mitre.org/techniques/T1129/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc new file mode 100644 index 0000000000..e6c98cd5a0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-execution-via-mssql-xp-cmdshell-stored-procedure]] +=== Execution via MSSQL xp_cmdshell Stored Procedure + +Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : "cmd.exe" and process.parent.name : "sqlservr.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-via-tsclient-mountpoint.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-via-tsclient-mountpoint.asciidoc new file mode 100644 index 0000000000..ab01f499c2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-via-tsclient-mountpoint.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-execution-via-tsclient-mountpoint]] +=== Execution via TSClient Mountpoint + +Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.executable : "\\Device\\Mup\\tsclient\\*.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-with-explicit-credentials-via-scripting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-with-explicit-credentials-via-scripting.asciidoc new file mode 100644 index 0000000000..0dd4d7152b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-execution-with-explicit-credentials-via-scripting.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-execution-with-explicit-credentials-via-scripting]] +=== Execution with Explicit Credentials via Scripting + +Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf +* https://www.manpagez.com/man/8/security_authtrampoline/ + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Execution +* Privilege Escalation + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and + process.name:"security_authtrampoline" and + process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Elevated Execution with Prompt +** ID: T1548.004 +** Reference URL: https://attack.mitre.org/techniques/T1548/004/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-exploit-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-exploit-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..09b97478a8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-exploit-detected-elastic-endgame.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-7-16-4-exploit-detected-elastic-endgame]] +=== Exploit - Detected - Elastic Endgame + +Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame +* Threat Detection +* Execution +* Privilege Escalation + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-exploit-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-exploit-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..76800aa90c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-exploit-prevented-elastic-endgame.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-7-16-4-exploit-prevented-elastic-endgame]] +=== Exploit - Prevented - Elastic Endgame + +Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame +* Threat Detection +* Execution +* Privilege Escalation + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-exporting-exchange-mailbox-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-exporting-exchange-mailbox-via-powershell.asciidoc new file mode 100644 index 0000000000..31a367c5c4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-exporting-exchange-mailbox-via-powershell.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-7-16-4-exporting-exchange-mailbox-via-powershell]] +=== Exporting Exchange Mailbox via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Collection + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Exporting Exchange Mailbox via PowerShell + +The `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive +to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. + +Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive +and strategic data. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the export operation: + - Identify the user account that performed the action and whether it should perform this kind of action. + - Contact the account owner and confirm whether they are aware of this activity. + - Check if this operation was approved and performed according to the organization's change management policy. + - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests. + - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that + assigned the "Mailbox Import Export" privilege for abnormal activity. +- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on +a per-mailbox basis and can be part of a mass export. +- If the operation was completed successfully: + - Check if the file is on the path specified in the command. + - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity +and it is done with proper approval. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior. +- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests. +- Prioritize cases that involve personally identifiable information (PII) or other classified data. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Review the privileges of users with the "Mailbox Import Export" privilege to ensure that the least privilege principle +is being followed. +- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, +persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "New-MailboxExportRequest*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Sub-technique: +** Name: Remote Email Collection +** ID: T1114.002 +** Reference URL: https://attack.mitre.org/techniques/T1114/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-external-ip-lookup-from-non-browser-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-external-ip-lookup-from-non-browser-process.asciidoc new file mode 100644 index 0000000000..2b29ed676c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-external-ip-lookup-from-non-browser-process.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-7-16-4-external-ip-lookup-from-non-browser-process]] +=== External IP Lookup from Non-Browser Process + +Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation +* https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating External IP Lookup from Non-Browser Process + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for connections to known IP lookup services through non-browser processes or non-installed programs. +Using only the IP address of the compromised system, attackers can obtain valuable information such as the system's +geographic location, the company that owns the IP, whether the system is cloud-hosted, and more. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +modifications, and any spawned child processes. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination +of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Use the data collected through the analysis to investigate other machines affected in the environment. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +network where network.protocol == "dns" and + process.name != null and user.id not in ("S-1-5-19", "S-1-5-20") and + event.action == "lookup_requested" and + /* Add new external IP lookup services here */ + dns.question.name : + ( + "*api.ipify.org", + "*freegeoip.app", + "*checkip.amazonaws.com", + "*checkip.dyndns.org", + "*freegeoip.app", + "*icanhazip.com", + "*ifconfig.*", + "*ipecho.net", + "*ipgeoapi.com", + "*ipinfo.io", + "*ip.anysrc.net", + "*myexternalip.com", + "*myipaddress.com", + "*showipaddress.com", + "*whatismyipaddress.com", + "*wtfismyip.com", + "*ipapi.co", + "*ip-lookup.net", + "*ipstack.com" + ) and + /* Insert noisy false positives here */ + not process.executable : + ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\WWAHost.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Location Discovery +** ID: T1614 +** Reference URL: https://attack.mitre.org/techniques/T1614/ +* Technique: +** Name: System Network Configuration Discovery +** ID: T1016 +** Reference URL: https://attack.mitre.org/techniques/T1016/ +* Sub-technique: +** Name: Internet Connection Discovery +** ID: T1016.001 +** Reference URL: https://attack.mitre.org/techniques/T1016/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-file-and-directory-discovery.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-file-and-directory-discovery.asciidoc new file mode 100644 index 0000000000..34036e1186 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-file-and-directory-discovery.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-7-16-4-file-and-directory-discovery]] +=== File and Directory Discovery + +Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating File and Directory Discovery + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for three directory-listing commands in one minute, which can indicate attempts to locate valuable files, +specific file types or installed programs. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by agent.id, user.name with maxspan=1m +[process where event.type in ("start", "process_started") and + ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or + process.name : "tree.com"] +[process where event.type in ("start", "process_started") and + ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or + process.name : "tree.com"] +[process where event.type in ("start", "process_started") and + ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or + process.name : "tree.com"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: File and Directory Discovery +** ID: T1083 +** Reference URL: https://attack.mitre.org/techniques/T1083/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-file-made-immutable-by-chattr.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-file-made-immutable-by-chattr.asciidoc new file mode 100644 index 0000000000..f46793629d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-file-made-immutable-by-chattr.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-file-made-immutable-by-chattr]] +=== File made Immutable by Chattr + +Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Defense Evasion + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and user.name == "root" and process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and not process.parent.executable: "/lib/systemd/systemd" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ +* Sub-technique: +** Name: Linux and Mac File and Directory Permissions Modification +** ID: T1222.002 +** Reference URL: https://attack.mitre.org/techniques/T1222/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-firewall-rule-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-firewall-rule-creation.asciidoc new file mode 100644 index 0000000000..9249ffb648 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-firewall-rule-creation.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-gcp-firewall-rule-creation]] +=== GCP Firewall Rule Creation + +Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/vpc/docs/firewalls +* https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-firewall-rule-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-firewall-rule-deletion.asciidoc new file mode 100644 index 0000000000..5af6b0e02b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-firewall-rule-deletion.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-gcp-firewall-rule-deletion]] +=== GCP Firewall Rule Deletion + +Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/vpc/docs/firewalls +* https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-firewall-rule-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-firewall-rule-modification.asciidoc new file mode 100644 index 0000000000..64d5a7b815 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-firewall-rule-modification.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-gcp-firewall-rule-modification]] +=== GCP Firewall Rule Modification + +Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/vpc/docs/firewalls +* https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-iam-custom-role-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-iam-custom-role-creation.asciidoc new file mode 100644 index 0000000000..8adc2178a2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-iam-custom-role-creation.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-gcp-iam-custom-role-creation]] +=== GCP IAM Custom Role Creation + +Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/iam/docs/understanding-custom-roles + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-iam-role-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-iam-role-deletion.asciidoc new file mode 100644 index 0000000000..bd14784c2d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-iam-role-deletion.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-iam-role-deletion]] +=== GCP IAM Role Deletion + +Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/iam/docs/understanding-roles + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Account Access Removal +** ID: T1531 +** Reference URL: https://attack.mitre.org/techniques/T1531/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-iam-service-account-key-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-iam-service-account-key-deletion.asciidoc new file mode 100644 index 0000000000..e604c03ae4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-iam-service-account-key-deletion.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-gcp-iam-service-account-key-deletion]] +=== GCP IAM Service Account Key Deletion + +Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/iam/docs/service-accounts +* https://cloud.google.com/iam/docs/creating-managing-service-account-keys + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-kubernetes-rolebindings-created-or-patched.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-kubernetes-rolebindings-created-or-patched.asciidoc new file mode 100644 index 0000000000..c0bce7f379 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-kubernetes-rolebindings-created-or-patched.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-gcp-kubernetes-rolebindings-created-or-patched]] +=== GCP Kubernetes Rolebindings Created or Patched + +Identifies the creation or patching of potentially malicious role bindings. Users can use role bindings and cluster role bindings to assign roles to Kubernetes subjects (users, groups, or service accounts). + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging +* https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/ +* https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 5 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or +io.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or +io.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success and +not gcp.audit.authentication_info.principal_email:"system:addon-manager" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-logging-bucket-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-logging-bucket-deletion.asciidoc new file mode 100644 index 0000000000..006663bc3f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-logging-bucket-deletion.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-gcp-logging-bucket-deletion]] +=== GCP Logging Bucket Deletion + +Identifies a logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/logging/docs/buckets +* https://cloud.google.com/logging/docs/storage + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-logging-sink-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-logging-sink-deletion.asciidoc new file mode 100644 index 0000000000..ca1ed41e60 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-logging-sink-deletion.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-logging-sink-deletion]] +=== GCP Logging Sink Deletion + +Identifies a logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, it's compared to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a logging sink to evade detection. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/logging/docs/export + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-logging-sink-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-logging-sink-modification.asciidoc new file mode 100644 index 0000000000..3a9589fca7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-logging-sink-modification.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-logging-sink-modification]] +=== GCP Logging Sink Modification + +Identifies a modification to a logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a logging sink to exfiltrate logs to a different export destination. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/logging/docs/export#how_sinks_work + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-subscription-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-subscription-creation.asciidoc new file mode 100644 index 0000000000..bad9bb5343 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-subscription-creation.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-pub-sub-subscription-creation]] +=== GCP Pub/Sub Subscription Creation + +Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/pubsub/docs/overview + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Cloud Storage Object +** ID: T1530 +** Reference URL: https://attack.mitre.org/techniques/T1530/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-subscription-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-subscription-deletion.asciidoc new file mode 100644 index 0000000000..a3b65bba62 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-subscription-deletion.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-pub-sub-subscription-deletion]] +=== GCP Pub/Sub Subscription Deletion + +Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/pubsub/docs/overview + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-topic-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-topic-creation.asciidoc new file mode 100644 index 0000000000..2e9faec8c0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-topic-creation.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-pub-sub-topic-creation]] +=== GCP Pub/Sub Topic Creation + +Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/pubsub/docs/admin + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Cloud Storage Object +** ID: T1530 +** Reference URL: https://attack.mitre.org/techniques/T1530/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-topic-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-topic-deletion.asciidoc new file mode 100644 index 0000000000..b9ff8d0791 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-pub-sub-topic-deletion.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-pub-sub-topic-deletion]] +=== GCP Pub/Sub Topic Deletion + +Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/pubsub/docs/overview + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Log Auditing + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-creation.asciidoc new file mode 100644 index 0000000000..129f83a4ae --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-creation.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-service-account-creation]] +=== GCP Service Account Creation + +Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/iam/docs/service-accounts + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-deletion.asciidoc new file mode 100644 index 0000000000..15eed491ab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-deletion.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-service-account-deletion]] +=== GCP Service Account Deletion + +Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/iam/docs/service-accounts + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Account Access Removal +** ID: T1531 +** Reference URL: https://attack.mitre.org/techniques/T1531/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-disabled.asciidoc new file mode 100644 index 0000000000..8def933c20 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-disabled.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-service-account-disabled]] +=== GCP Service Account Disabled + +Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/iam/docs/service-accounts + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Account Access Removal +** ID: T1531 +** Reference URL: https://attack.mitre.org/techniques/T1531/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-key-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-key-creation.asciidoc new file mode 100644 index 0000000000..b798ea5749 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-service-account-key-creation.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-gcp-service-account-key-creation]] +=== GCP Service Account Key Creation + +Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/iam/docs/service-accounts +* https://cloud.google.com/iam/docs/creating-managing-service-account-keys + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-storage-bucket-configuration-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-storage-bucket-configuration-modification.asciidoc new file mode 100644 index 0000000000..127ce244ff --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-storage-bucket-configuration-modification.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-gcp-storage-bucket-configuration-modification]] +=== GCP Storage Bucket Configuration Modification + +Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/storage/docs/key-terms#buckets + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Identity and Access +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Cloud Compute Infrastructure +** ID: T1578 +** Reference URL: https://attack.mitre.org/techniques/T1578/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-storage-bucket-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-storage-bucket-deletion.asciidoc new file mode 100644 index 0000000000..57cddd4dce --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-storage-bucket-deletion.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-storage-bucket-deletion]] +=== GCP Storage Bucket Deletion + +Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/storage/docs/key-terms#buckets + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:"storage.buckets.delete" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-storage-bucket-permissions-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-storage-bucket-permissions-modification.asciidoc new file mode 100644 index 0000000000..1658e29bb7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-storage-bucket-permissions-modification.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-gcp-storage-bucket-permissions-modification]] +=== GCP Storage Bucket Permissions Modification + +Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/storage/docs/access-control/iam-permissions + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-virtual-private-cloud-network-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-virtual-private-cloud-network-deletion.asciidoc new file mode 100644 index 0000000000..6cea36cf96 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-virtual-private-cloud-network-deletion.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-gcp-virtual-private-cloud-network-deletion]] +=== GCP Virtual Private Cloud Network Deletion + +Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/vpc/docs/vpc + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Configuration Audit +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-virtual-private-cloud-route-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-virtual-private-cloud-route-creation.asciidoc new file mode 100644 index 0000000000..3201e14482 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-virtual-private-cloud-route-creation.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-gcp-virtual-private-cloud-route-creation]] +=== GCP Virtual Private Cloud Route Creation + +Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/vpc/docs/routes +* https://cloud.google.com/vpc/docs/using-routes + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Configuration Audit +* Defense Evasion + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-virtual-private-cloud-route-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-virtual-private-cloud-route-deletion.asciidoc new file mode 100644 index 0000000000..b3fcb8f5f6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-gcp-virtual-private-cloud-route-deletion.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-gcp-virtual-private-cloud-route-deletion]] +=== GCP Virtual Private Cloud Route Deletion + +Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-gcp* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/vpc/docs/routes +* https://cloud.google.com/vpc/docs/using-routes + +*Tags*: + +* Elastic +* Cloud +* GCP +* Continuous Monitoring +* SecOps +* Configuration Audit +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-admin-role-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-admin-role-assigned-to-a-user.asciidoc new file mode 100644 index 0000000000..2061fb7422 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-admin-role-assigned-to-a-user.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-google-workspace-admin-role-assigned-to-a-user]] +=== Google Workspace Admin Role Assigned to a User + +Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target’s environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/172176?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-admin-role-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-admin-role-deletion.asciidoc new file mode 100644 index 0000000000..845c991045 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-admin-role-deletion.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-google-workspace-admin-role-deletion]] +=== Google Workspace Admin Role Deletion + +Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/2406043?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc new file mode 100644 index 0000000000..bb14c52cbc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority]] +=== Google Workspace API Access Granted via Domain-Wide Delegation of Authority + +Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developers.google.com/admin-sdk/directory/v1/guides/delegation + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-custom-admin-role-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-custom-admin-role-created.asciidoc new file mode 100644 index 0000000000..2511a606f4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-custom-admin-role-created.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-google-workspace-custom-admin-role-created]] +=== Google Workspace Custom Admin Role Created + +Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/2406043?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-mfa-enforcement-disabled.asciidoc new file mode 100644 index 0000000000..2570f8a702 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-mfa-enforcement-disabled.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-google-workspace-mfa-enforcement-disabled]] +=== Google Workspace MFA Enforcement Disabled + +Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/9176657?hl=en# + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 13 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-password-policy-modified.asciidoc new file mode 100644 index 0000000000..4ad6f99528 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-password-policy-modified.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-7-16-4-google-workspace-password-policy-modified]] +=== Google Workspace Password Policy Modified + +Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 13 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and + event.provider:admin and event.category:iam and + event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and + gsuite.admin.setting.name:( + "Password Management - Enforce strong password" or + "Password Management - Password reset frequency" or + "Password Management - Enable password reuse" or + "Password Management - Enforce password policy at next login" or + "Password Management - Minimum password length" or + "Password Management - Maximum password length" + ) or + google_workspace.admin.setting.name:( + "Password Management - Enforce strong password" or + "Password Management - Password reset frequency" or + "Password Management - Enable password reuse" or + "Password Management - Enforce password policy at next login" or + "Password Management - Minimum password length" or + "Password Management - Maximum password length" + ) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-role-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-role-modified.asciidoc new file mode 100644 index 0000000000..847800878d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-google-workspace-role-modified.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-google-workspace-role-modified]] +=== Google Workspace Role Modified + +Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/2406043?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-group-policy-abuse-for-privilege-addition.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-group-policy-abuse-for-privilege-addition.asciidoc new file mode 100644 index 0000000000..60413ede44 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-group-policy-abuse-for-privilege-addition.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-7-16-4-group-policy-abuse-for-privilege-addition]] +=== Group Policy Abuse for Privilege Addition + +Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md +* https://labs.f-secure.com/tools/sharpgpoabuse + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation +* Active Directory + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Group Policy Abuse for Privilege Addition + +Group Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF +file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. +This file is unique for each GPO, and only exists if the GPO contains security settings. +Example Path: "\\DC.com\SysVol\DC.com\Policies\{PolicyGUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf" + +#### Possible investigation steps + +- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity +is legitimate and the administrator is authorized to perform this operation. +- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially +dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc. +- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges. + +### False positive analysis + +- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the +`winlog.event_data.SubjectUserName` field. + +### Related rules + +- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e +- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- The investigation and containment must be performed in every computer controlled by the GPO, where necessary. +- Remove the script from the GPO. +- Check if other GPOs have suspicious scripts attached. + +## Setup + +The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:"gPCMachineExtensionNames" and +winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Domain Policy Modification +** ID: T1484 +** Reference URL: https://attack.mitre.org/techniques/T1484/ +* Sub-technique: +** Name: Group Policy Modification +** ID: T1484.001 +** Reference URL: https://attack.mitre.org/techniques/T1484/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc new file mode 100644 index 0000000000..120ac3b981 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc @@ -0,0 +1,96 @@ +[[prebuilt-rule-7-16-4-high-number-of-okta-user-password-reset-or-unlock-attempts]] +=== High Number of Okta User Password Reset or Unlock Attempts + +Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic +* @BenB196 +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and + event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or + system.sms.send_account_unlock_message or system.sms.send_password_reset_message or + system.voice.send_account_unlock_call or system.voice.send_password_reset_call or + user.account.unlock_token) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-high-number-of-process-terminations.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-high-number-of-process-terminations.asciidoc new file mode 100644 index 0000000000..b7496c1104 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-high-number-of-process-terminations.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-7-16-4-high-number-of-process-terminations]] +=== High Number of Process Terminations + +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Impact + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating High Number of Process Terminations + +Attackers can kill processes for a variety of purposes. For example, they can kill process associated +with business applications and databases to release the lock on files used by these applications so they may be +encrypted,or stop security and backup solutions, etc. + +This rule identifies a high number (10) of process terminations via pkill from the same +host within a short time period. + +#### Possible investigation steps + +Detection alerts from this rule indicate High Number of Process Terminations from the same host +Here are some possible avenues of investigation: +- Examine the entry point to the host and user in action via the Analyse View. + - Identify the session entry leader and session user +- Examine the contents of session leading to the process termination(s) via the Session View. + - Examine the command execution pattern in the session, which may lead to suspricous activities +- Examine the process killed during the malicious execution + - Identify imment threat to the system from the process killed + - Take necessary incident response actions to respawn necessary process + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Reimage the host operating system or restore it to the operational state. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look +for ransomware preparation and execution activities. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:start and process.name:"pkill" and process.args:"-f" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-hosts-file-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-hosts-file-modified.asciidoc new file mode 100644 index 0000000000..54b5cdaa2a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-hosts-file-modified.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-7-16-4-hosts-file-modified]] +=== Hosts File Modified + +The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html + +*Tags*: + +* Elastic +* Host +* Linux +* Windows +* macOS +* Threat Detection +* Impact + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where + + /* file events for creation; file change events are not captured by some of the included sources for linux and so may + miss this, which is the purpose of the process + command line args logic below */ + ( + event.category == "file" and event.type in ("change", "creation") and + file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") + ) + or + + /* process events for change targeting linux only */ + ( + event.category == "process" and event.type in ("start") and + process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and + process.args : ("/etc/hosts") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Manipulation +** ID: T1565 +** Reference URL: https://attack.mitre.org/techniques/T1565/ +* Sub-technique: +** Name: Stored Data Manipulation +** ID: T1565.001 +** Reference URL: https://attack.mitre.org/techniques/T1565/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-iis-http-logging-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-iis-http-logging-disabled.asciidoc new file mode 100644 index 0000000000..fefb9a6838 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-iis-http-logging-disabled.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-iis-http-logging-disabled]] +=== IIS HTTP Logging Disabled + +Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and + process.args : "/dontLog*:*True" and + not process.parent.name : "iissetup.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-imageload-via-windows-update-auto-update-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-imageload-via-windows-update-auto-update-client.asciidoc new file mode 100644 index 0000000000..8aaf5e5cc2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-imageload-via-windows-update-auto-update-client.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-imageload-via-windows-update-auto-update-client]] +=== ImageLoad via Windows Update Auto Update Client + +Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://dtm.uk/wuauclt/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.pe.original_file_name == "wuauclt.exe" or process.name : "wuauclt.exe") and + /* necessary windows update client args to load a dll */ + process.args : "/RunHandlerComServer" and process.args : "/UpdateDeploymentProvider" and + /* common paths writeable by a standard user where the target DLL can be placed */ + process.args : ("C:\\Users\\*.dll", "C:\\ProgramData\\*.dll", "C:\\Windows\\Temp\\*.dll", "C:\\Windows\\Tasks\\*.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc new file mode 100644 index 0000000000..8e20c2bffa --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-inbound-connection-to-an-unsecure-elasticsearch-node]] +=== Inbound Connection to an Unsecure Elasticsearch Node + +Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html +* https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers + +*Tags*: + +* Elastic +* Network +* Threat Detection +* Initial Access +* Host + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT _exists_:http.request.headers.authorization + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-incoming-dcom-lateral-movement-via-mshta.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-incoming-dcom-lateral-movement-via-mshta.asciidoc new file mode 100644 index 0000000000..9f98dd8265 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-incoming-dcom-lateral-movement-via-mshta.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-incoming-dcom-lateral-movement-via-mshta]] +=== Incoming DCOM Lateral Movement via MSHTA + +Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://codewhitesec.blogspot.com/2018/07/lethalhta.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [process where event.type in ("start", "process_started") and + process.name : "mshta.exe" and process.args : "-Embedding" + ] by host.id, process.entity_id + [network where event.type == "start" and process.name : "mshta.exe" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" + ] by host.id, process.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Distributed Component Object Model +** ID: T1021.003 +** Reference URL: https://attack.mitre.org/techniques/T1021/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-installation-of-security-support-provider.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-installation-of-security-support-provider.asciidoc new file mode 100644 index 0000000000..f823b00184 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-installation-of-security-support-provider.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-installation-of-security-support-provider]] +=== Installation of Security Support Provider + +Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where + registry.path : ("HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*") and + not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Security Support Provider +** ID: T1547.005 +** Reference URL: https://attack.mitre.org/techniques/T1547/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-installutil-process-making-network-connections.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-installutil-process-making-network-connections.asciidoc new file mode 100644 index 0000000000..088b938b50 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-installutil-process-making-network-connections.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-7-16-4-installutil-process-making-network-connections]] +=== InstallUtil Process Making Network Connections + +Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ + +sequence by process.entity_id + [process where event.type in ("start", "process_started") and process.name : "installutil.exe"] + [network where process.name : "installutil.exe" and network.direction : ("outgoing", "egress")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: InstallUtil +** ID: T1218.004 +** Reference URL: https://attack.mitre.org/techniques/T1218/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kerberos-cached-credentials-dumping.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kerberos-cached-credentials-dumping.asciidoc new file mode 100644 index 0000000000..f2466129f3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kerberos-cached-credentials-dumping.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-kerberos-cached-credentials-dumping]] +=== Kerberos Cached Credentials Dumping + +Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py +* https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Credential Access + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and + process.name:kcc and + process.args:copy_cred_cache + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: Kerberoasting +** ID: T1558.003 +** Reference URL: https://attack.mitre.org/techniques/T1558/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kerberos-pre-authentication-disabled-for-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kerberos-pre-authentication-disabled-for-user.asciidoc new file mode 100644 index 0000000000..a6040aa8b3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kerberos-pre-authentication-disabled-for-user.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-7-16-4-kerberos-pre-authentication-disabled-for-user]] +=== Kerberos Pre-authentication Disabled for User + +Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://harmj0y.medium.com/roasting-as-reps-e6179a65216b +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738 +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Kerberos Pre-authentication Disabled for User + +Kerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting +access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request +(AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to +successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server +Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is +signed with the user’s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' – Enabled` should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication. + +AS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that +if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that +can be brute-forced offline, similarly to Kerberoasting. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Determine if the target account is sensitive or privileged. +- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe. + +### False positive analysis + +- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team +should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Reset the target account's password if there is any risk of TGTs having been retrieved. +- Re-enable the preauthentication option or disable the target account. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'Audit User Account Management' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Account Management > +Audit User Account Management (Success,Failure) +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.code:4738 and message:"'Don't Require Preauth' - Enabled" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: AS-REP Roasting +** ID: T1558.004 +** Reference URL: https://attack.mitre.org/techniques/T1558/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kerberos-traffic-from-unusual-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kerberos-traffic-from-unusual-process.asciidoc new file mode 100644 index 0000000000..0c1dc8ea7a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kerberos-traffic-from-unusual-process.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-7-16-4-kerberos-traffic-from-unusual-process]] +=== Kerberos Traffic from Unusual Process + +Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Kerberos Traffic from Unusual Process + +Kerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for +client/server applications by using secret-key cryptography. + +Domain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of +traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of +Kerberos tickets. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if the Destination IP is related to a Domain Controller. +- Review event ID 4769 for suspicious ticket requests. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a +non-standard port or destination IP address unrelated to Domain controllers can create false positives. +- Exceptions can be added for noisy/frequent connections. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. + - Ticket requests can be used to investigate potentially compromised accounts. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +network where event.type == "start" and network.direction : ("outgoing", "egress") and + destination.port == 88 and source.port >= 49152 and + not process.executable : + ("?:\\Windows\\System32\\lsass.exe", + "System", + "\\device\\harddiskvolume?\\windows\\system32\\lsass.exe", + "?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe", + "?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe", + "?:\\Program Files (x86)\\SuperScan\\scanner.exe", + "?:\\Program Files (x86)\\Nmap\\nmap.exe", + "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe") and + destination.address !="127.0.0.1" and destination.address !="::1" and + /* insert false positives here */ + not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kernel-module-load-via-insmod.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kernel-module-load-via-insmod.asciidoc new file mode 100644 index 0000000000..89564ee02c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-kernel-module-load-via-insmod.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-7-16-4-kernel-module-load-via-insmod]] +=== Kernel module load via insmod + +Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* logs-* + +*Severity*: medium + +*Risk score*: 85 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Persistence +* Rootkit + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and process.executable : "/usr/sbin/insmod" and process.args : "*.ko" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-keychain-password-retrieval-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-keychain-password-retrieval-via-command-line.asciidoc new file mode 100644 index 0000000000..368177ddcc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-keychain-password-retrieval-via-command-line.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-7-16-4-keychain-password-retrieval-via-command-line]] +=== Keychain Password Retrieval via Command Line + +Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.netmeister.org/blog/keychain-passwords.html +* https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py +* https://ss64.com/osx/security.html +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Credential Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.name : "security" and process.args : "-wa" and process.args : ("find-generic-password", "find-internet-password") and + process.args : ("Chrome*", "Chromium", "Opera", "Safari*", "Brave", "Microsoft Edge", "Edge", "Firefox*") and + not process.parent.executable : "/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-krbtgt-delegation-backdoor.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-krbtgt-delegation-backdoor.asciidoc new file mode 100644 index 0000000000..77c166f670 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-krbtgt-delegation-backdoor.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-7-16-4-krbtgt-delegation-backdoor]] +=== KRBTGT Delegation Backdoor + +Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://skyblue.team/posts/delegate-krbtgt +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence +* Active Directory + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The 'Audit User Account Management' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Account Management > +Audit User Account Management (Success,Failure) +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:modified-user-account and event.code:4738 and winlog.event_data.AllowedToDelegateTo:*krbtgt* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-lateral-movement-via-startup-folder.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-lateral-movement-via-startup-folder.asciidoc new file mode 100644 index 0000000000..8039db9d7d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-lateral-movement-via-startup-folder.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-7-16-4-lateral-movement-via-startup-folder]] +=== Lateral Movement via Startup Folder + +Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mdsec.co.uk/2017/06/rdpinception/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type in ("creation", "change") and + + /* via RDP TSClient mounted share or SMB */ + (process.name : "mstsc.exe" or process.pid == 4) and + + file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc new file mode 100644 index 0000000000..2b7d21ba10 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-7-16-4-launchdaemon-creation-or-modification-and-immediate-loading]] +=== LaunchDaemon Creation or Modification and Immediate Loading + +Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [file where event.type != "deletion" and file.path : ("/System/Library/LaunchDaemons/*", "/Library/LaunchDaemons/*")] + [process where event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc new file mode 100644 index 0000000000..5c9499c68e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc @@ -0,0 +1,182 @@ +[[prebuilt-rule-7-16-4-linux-restricted-shell-breakout-via-linux-binary-s]] +=== Linux Restricted Shell Breakout via Linux Binary(s) + +Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://gtfobins.github.io/gtfobins/apt/ +* https://gtfobins.github.io/gtfobins/apt-get/ +* https://gtfobins.github.io/gtfobins/nawk/ +* https://gtfobins.github.io/gtfobins/mawk/ +* https://gtfobins.github.io/gtfobins/awk/ +* https://gtfobins.github.io/gtfobins/gawk/ +* https://gtfobins.github.io/gtfobins/busybox/ +* https://gtfobins.github.io/gtfobins/c89/ +* https://gtfobins.github.io/gtfobins/c99/ +* https://gtfobins.github.io/gtfobins/cpulimit/ +* https://gtfobins.github.io/gtfobins/crash/ +* https://gtfobins.github.io/gtfobins/env/ +* https://gtfobins.github.io/gtfobins/expect/ +* https://gtfobins.github.io/gtfobins/find/ +* https://gtfobins.github.io/gtfobins/flock/ +* https://gtfobins.github.io/gtfobins/gcc/ +* https://gtfobins.github.io/gtfobins/mysql/ +* https://gtfobins.github.io/gtfobins/nice/ +* https://gtfobins.github.io/gtfobins/ssh/ +* https://gtfobins.github.io/gtfobins/vi/ +* https://gtfobins.github.io/gtfobins/vim/ +* https://gtfobins.github.io/gtfobins/capsh/ +* https://gtfobins.github.io/gtfobins/byebug/ +* https://gtfobins.github.io/gtfobins/git/ +* https://gtfobins.github.io/gtfobins/ftp/ + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Execution +* GTFOBins + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Shell Evasion via Linux Utilities +Detection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or +environments by spawning an interactive system shell. +Here are some possible avenues of investigation: +- Examine the entry point to the host and user in action via the Analyse View. + - Identify the session entry leader and session user +- Examine the contents of session leading to the abuse via the Session View. + - Examine the command execution pattern in the session, which may lead to suspricous activities +- Examine the execution of commands in the spawned shell. + - Identify imment threat to the system from the executed commands + - Take necessary incident response actions to contain any malicious behviour caused via this execution. + +### Related rules + +- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences. +- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment + +### Response and remediation + +Initiate the incident response process based on the outcome of the triage. + +- If the triage releaved suspicious netwrok activity from the malicious spawned shell, + - Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware execution via the maliciously spawned shell, + - Search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- If the triage revelaed defence evasion for imparing defenses + - Isolate the involved host to prevent further post-compromise behavior. + - Identified the disabled security guard components on the host and take necessary steps in renebaling the same. + - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same. +- If the triage revelaed addition of persistence mechanism exploit like auto start scripts + - Isolate further login to the systems that can initae auto start scripts. + - Identify the auto start scripts and disable and remove the same from the systems +- If the triage revealed data crawling or data export via remote copy + - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling + - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials. + - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The session view analysis for the command alerted is avalible in versions 8.2 and above. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + + /* launch shells from unusual process */ + (process.name == "capsh" and process.args == "--") or + + /* launching shells from unusual parents or parent+arg combos */ + (process.name in ("bash", "sh", "dash","ash") and + (process.parent.name in ("byebug","git","ftp","strace")) or + + /* shells specified in parent args */ + /* nice rule is broken in 8.2 */ + (process.parent.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") and + ( + (process.parent.name == "nice") or + (process.parent.name == "cpulimit" and process.parent.args == "-f") or + (process.parent.name == "find" and process.parent.args == "-exec" and process.parent.args == ";") or + (process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/") + ) + ) or + + /* shells specified in args */ + (process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") and + (process.parent.name == "crash" and process.parent.args == "-h") or + (process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog") + /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */ + ) + ) or + (process.name == "busybox" and process.args_count == 2 and process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") )or + (process.name == "env" and process.args_count == 2 and process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash")) or + (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args in (":!/bin/bash", ":!/bin/sh", ":!bash", ":!sh")) or + (process.parent.name in ("c89","c99", "gcc") and process.parent.args in ("sh,-s", "bash,-s", "dash,-s", "ash,-s", "/bin/sh,-s", "/bin/bash,-s", "/bin/dash,-s", "/bin/ash,-s") and process.parent.args == "-wrapper") or + (process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args in ("spawn /bin/sh;interact", "spawn /bin/bash;interact", "spawn /bin/dash;interact", "spawn sh;interact", "spawn bash;interact", "spawn dash;interact")) or + (process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args in ("\\!*sh", "\\!*bash", "\\!*dash", "\\!*/bin/sh", "\\!*/bin/bash", "\\!*/bin/dash")) or + (process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args in ("ProxyCommand=;sh 0<&2 1>&2", "ProxyCommand=;bash 0<&2 1>&2", "ProxyCommand=;dash 0<&2 1>&2", "ProxyCommand=;/bin/sh 0<&2 1>&2", "ProxyCommand=;/bin/bash 0<&2 1>&2", "ProxyCommand=;/bin/dash 0<&2 1>&2")) or + (process.parent.name in ("nawk", "mawk", "awk", "gawk") and process.parent.args : "BEGIN {system(*)}") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-lsass-memory-dump-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-lsass-memory-dump-creation.asciidoc new file mode 100644 index 0000000000..333a153182 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-lsass-memory-dump-creation.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-lsass-memory-dump-creation]] +=== LSASS Memory Dump Creation + +Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/outflanknl/Dumpert +* https://github.com/hoangprod/AndrewSpecial + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-lsass-memory-dump-handle-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-lsass-memory-dump-handle-access.asciidoc new file mode 100644 index 0000000000..4ca8d07607 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-lsass-memory-dump-handle-access.asciidoc @@ -0,0 +1,177 @@ +[[prebuilt-rule-7-16-4-lsass-memory-dump-handle-access]] +=== LSASS Memory Dump Handle Access + +Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656 +* https://twitter.com/jsecurity101/status/1227987828534956033?s=20 +* https://attack.mitre.org/techniques/T1003/001/ +* https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html +* http://findingbad.blogspot.com/2017/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating LSASS Memory Dump Handle Access + +Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible +for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles +password changes, and creates access tokens. + +Adversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system +generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single +sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials can be +harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using +[alternate authentication material](https://attack.mitre.org/techniques/T1550/). + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, +consider adding exceptions — preferably with a combination of user and command line conditions. +- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on +the correct path and signed with the company's valid digital signature. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Scope compromised credentials and disable the accounts. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +Ensure advanced audit policies for Windows are enabled, specifically: +Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +System Audit Policies > +Object Access > +Audit File System (Success,Failure) +Audit Handle Manipulation (Success,Failure) +``` + +Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where event.action == "File System" and event.code == "4656" and + + winlog.event_data.ObjectName : ( + "?:\\Windows\\System32\\lsass.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\lsass.exe", + "\\Device\\HarddiskVolume??\\Windows\\System32\\lsass.exe") and + + /* The right to perform an operation controlled by an extended access right. */ + + (winlog.event_data.AccessMask : ("0x1fffff" , "0x1010", "0x120089", "0x1F3FFF") or + winlog.event_data.AccessMaskDescription : ("READ_CONTROL", "Read from process memory")) + + /* Common Noisy False Positives */ + + and not winlog.event_data.ProcessName : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\system32\\wbem\\WmiPrvSE.exe", + "?:\\Windows\\System32\\dllhost.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe", + "?:\\Windows\\explorer.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-macos-installer-package-spawns-network-event.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-macos-installer-package-spawns-network-event.asciidoc new file mode 100644 index 0000000000..c609f2c225 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-macos-installer-package-spawns-network-event.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-macos-installer-package-spawns-network-event]] +=== MacOS Installer Package Spawns Network Event + +Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 74 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://redcanary.com/blog/clipping-silver-sparrows-wings +* https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 +* https://github.com/D00MFist/Mystikal + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Execution +* Command and Control + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, user.id with maxspan=30s +[process where event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] +[network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: Web Protocols +** ID: T1071.001 +** Reference URL: https://attack.mitre.org/techniques/T1071/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mfa-disabled-for-google-workspace-organization.asciidoc new file mode 100644 index 0000000000..d0a55feb99 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mfa-disabled-for-google-workspace-organization.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-7-16-4-mfa-disabled-for-google-workspace-organization]] +=== MFA Disabled for Google Workspace Organization + +Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 13 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-anti-phish-policy-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-anti-phish-policy-deletion.asciidoc new file mode 100644 index 0000000000..742030917d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-anti-phish-policy-deletion.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-microsoft-365-exchange-anti-phish-policy-deletion]] +=== Microsoft 365 Exchange Anti-Phish Policy Deletion + +Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps +* https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-anti-phish-rule-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-anti-phish-rule-modification.asciidoc new file mode 100644 index 0000000000..e4e70130b6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-anti-phish-rule-modification.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-microsoft-365-exchange-anti-phish-rule-modification]] +=== Microsoft 365 Exchange Anti-Phish Rule Modification + +Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps +* https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-dkim-signing-configuration-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-dkim-signing-configuration-disabled.asciidoc new file mode 100644 index 0000000000..7f4b88dc29 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-dkim-signing-configuration-disabled.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-microsoft-365-exchange-dkim-signing-configuration-disabled]] +=== Microsoft 365 Exchange DKIM Signing Configuration Disabled + +Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Data Protection +* Persistence + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-dlp-policy-removed.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-dlp-policy-removed.asciidoc new file mode 100644 index 0000000000..10627e543d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-dlp-policy-removed.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-microsoft-365-exchange-dlp-policy-removed]] +=== Microsoft 365 Exchange DLP Policy Removed + +Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps +* https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-malware-filter-policy-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-malware-filter-policy-deletion.asciidoc new file mode 100644 index 0000000000..6f88ee9bdb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-malware-filter-policy-deletion.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-microsoft-365-exchange-malware-filter-policy-deletion]] +=== Microsoft 365 Exchange Malware Filter Policy Deletion + +Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-malware-filter-rule-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-malware-filter-rule-modification.asciidoc new file mode 100644 index 0000000000..509032b68c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-malware-filter-rule-modification.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-microsoft-365-exchange-malware-filter-rule-modification]] +=== Microsoft 365 Exchange Malware Filter Rule Modification + +Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps +* https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-management-group-role-assignment.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-management-group-role-assignment.asciidoc new file mode 100644 index 0000000000..1b5c54f7e5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-management-group-role-assignment.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-microsoft-365-exchange-management-group-role-assignment]] +=== Microsoft 365 Exchange Management Group Role Assignment + +Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps +* https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-safe-attachment-rule-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-safe-attachment-rule-disabled.asciidoc new file mode 100644 index 0000000000..417fcfc253 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-safe-attachment-rule-disabled.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-microsoft-365-exchange-safe-attachment-rule-disabled]] +=== Microsoft 365 Exchange Safe Attachment Rule Disabled + +Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-safe-link-policy-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-safe-link-policy-disabled.asciidoc new file mode 100644 index 0000000000..8f6f4fdefb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-safe-link-policy-disabled.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-microsoft-365-exchange-safe-link-policy-disabled]] +=== Microsoft 365 Exchange Safe Link Policy Disabled + +Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps +* https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-transport-rule-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-transport-rule-creation.asciidoc new file mode 100644 index 0000000000..ba09b3da1e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-transport-rule-creation.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-microsoft-365-exchange-transport-rule-creation]] +=== Microsoft 365 Exchange Transport Rule Creation + +Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps +* https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-transport-rule-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-transport-rule-modification.asciidoc new file mode 100644 index 0000000000..2ec4722781 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-exchange-transport-rule-modification.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-microsoft-365-exchange-transport-rule-modification]] +=== Microsoft 365 Exchange Transport Rule Modification + +Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps +* https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps +* https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-global-administrator-role-assigned.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-global-administrator-role-assigned.asciidoc new file mode 100644 index 0000000000..0cd5f7adcd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-global-administrator-role-assigned.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-microsoft-365-global-administrator-role-assigned]] +=== Microsoft 365 Global Administrator Role Assigned + +In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities, such as the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and +o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Cloud Roles +** ID: T1098.003 +** Reference URL: https://attack.mitre.org/techniques/T1098/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-inbox-forwarding-rule-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-inbox-forwarding-rule-created.asciidoc new file mode 100644 index 0000000000..46096bcd9d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-inbox-forwarding-rule-created.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-7-16-4-microsoft-365-inbox-forwarding-rule-created]] +=== Microsoft 365 Inbox Forwarding Rule Created + +Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps +* https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide +* https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 7 + +*Rule authors*: + +* Elastic +* Gary Blackwell +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and +event.category:web and event.action:"New-InboxRule" and + ( + o365.audit.Parameters.ForwardTo:* or + o365.audit.Parameters.ForwardAsAttachmentTo:* or + o365.audit.Parameters.RedirectTo:* + ) + and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Sub-technique: +** Name: Email Forwarding Rule +** ID: T1114.003 +** Reference URL: https://attack.mitre.org/techniques/T1114/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-potential-ransomware-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-potential-ransomware-activity.asciidoc new file mode 100644 index 0000000000..47067bb12d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-potential-ransomware-activity.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-microsoft-365-potential-ransomware-activity]] +=== Microsoft 365 Potential ransomware activity + +Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy +* https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 6 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-teams-custom-application-interaction-allowed.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-teams-custom-application-interaction-allowed.asciidoc new file mode 100644 index 0000000000..cfb93adb44 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-teams-custom-application-interaction-allowed.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-microsoft-365-teams-custom-application-interaction-allowed]] +=== Microsoft 365 Teams Custom Application Interaction Allowed + +Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:MicrosoftTeams and +event.category:web and event.action:TeamsTenantSettingChanged and +o365.audit.Name:"Allow sideloading and interaction of custom apps" and +o365.audit.NewValue:True and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-teams-external-access-enabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-teams-external-access-enabled.asciidoc new file mode 100644 index 0000000000..bfa41b2847 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-teams-external-access-enabled.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-microsoft-365-teams-external-access-enabled]] +=== Microsoft 365 Teams External Access Enabled + +Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/microsoftteams/manage-external-access + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and +event.category:web and event.action:"Set-CsTenantFederationConfiguration" and +o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-teams-guest-access-enabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-teams-guest-access-enabled.asciidoc new file mode 100644 index 0000000000..2d791b2bb9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-teams-guest-access-enabled.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-microsoft-365-teams-guest-access-enabled]] +=== Microsoft 365 Teams Guest Access Enabled + +Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and +event.category:web and event.action:"Set-CsTeamsClientConfiguration" and +o365.audit.Parameters.AllowGuestUser:True and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-unusual-volume-of-file-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-unusual-volume-of-file-deletion.asciidoc new file mode 100644 index 0000000000..69cecd98e5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-unusual-volume-of-file-deletion.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-microsoft-365-unusual-volume-of-file-deletion]] +=== Microsoft 365 Unusual Volume of File Deletion + +Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy +* https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 5 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-user-restricted-from-sending-email.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-user-restricted-from-sending-email.asciidoc new file mode 100644 index 0000000000..2b5c1d1e4a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-365-user-restricted-from-sending-email.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-microsoft-365-user-restricted-from-sending-email]] +=== Microsoft 365 User Restricted from Sending Email + +Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy +* https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 5 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-an-unusual-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-an-unusual-process.asciidoc new file mode 100644 index 0000000000..74be8b2831 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-an-unusual-process.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-microsoft-build-engine-started-an-unusual-process]] +=== Microsoft Build Engine Started an Unusual Process + +An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "MSBuild.exe" and + process.name : ("csc.exe", "iexplore.exe", "powershell.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Sub-technique: +** Name: Compile After Delivery +** ID: T1027.004 +** Reference URL: https://attack.mitre.org/techniques/T1027/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-by-a-script-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-by-a-script-process.asciidoc new file mode 100644 index 0000000000..0dce49beae --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-by-a-script-process.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-microsoft-build-engine-started-by-a-script-process]] +=== Microsoft Build Engine Started by a Script Process + +An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 14 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe") and + process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe", "mshta.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-by-a-system-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-by-a-system-process.asciidoc new file mode 100644 index 0000000000..6d6650e5ab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-by-a-system-process.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-microsoft-build-engine-started-by-a-system-process]] +=== Microsoft Build Engine Started by a System Process + +An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 13 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : "MSBuild.exe" and + process.parent.name : ("explorer.exe", "wmiprvse.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-by-an-office-application.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-by-an-office-application.asciidoc new file mode 100644 index 0000000000..e746729eeb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-started-by-an-office-application.asciidoc @@ -0,0 +1,155 @@ +[[prebuilt-rule-7-16-4-microsoft-build-engine-started-by-an-office-application]] +=== Microsoft Build Engine Started by an Office Application + +An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 13 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Microsoft Build Engine Started by an Office Application + +Microsoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. +You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create +presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted +for initial access. It also has a wide variety of capabilities that attackers can take advantage of. + +The Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML +schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy +execution of code. + +This rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the +execution of malicious documents. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, +but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, +persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : "MSBuild.exe" and + process.parent.name : ("eqnedt32.exe", + "excel.exe", + "fltldr.exe", + "msaccess.exe", + "mspub.exe", + "outlook.exe", + "powerpnt.exe", + "winword.exe" ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-using-an-alternate-name.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-using-an-alternate-name.asciidoc new file mode 100644 index 0000000000..ae35dc540b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-build-engine-using-an-alternate-name.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-microsoft-build-engine-using-an-alternate-name]] +=== Microsoft Build Engine Using an Alternate Name + +An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 13 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.pe.original_file_name == "MSBuild.exe" and + not process.name : "MSBuild.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc new file mode 100644 index 0000000000..797592dda2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-7-16-4-microsoft-exchange-server-um-spawning-suspicious-processes]] +=== Microsoft Exchange Server UM Spawning Suspicious Processes + +Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 5 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and + not process.executable : + ("?:\\Windows\\System32\\werfault.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe", + "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe", + "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-exchange-server-um-writing-suspicious-files.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-exchange-server-um-writing-suspicious-files.asciidoc new file mode 100644 index 0000000000..65ccddeae7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-exchange-server-um-writing-suspicious-files.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-7-16-4-microsoft-exchange-server-um-writing-suspicious-files]] +=== Microsoft Exchange Server UM Writing Suspicious Files + +Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 6 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Positive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines). + +Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems +from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support +[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security) + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "creation" and + process.name : ("UMWorkerProcess.exe", "umservice.exe") and + file.extension : ("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and + ( + file.path : "?:\\inetpub\\wwwroot\\aspnet_client\\*" or + + (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\*" and + not (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\version\\*" or + file.name : ("errorFE.aspx", "expiredpassword.aspx", "frowny.aspx", "GetIdToken.htm", "logoff.aspx", + "logon.aspx", "OutlookCN.aspx", "RedirSuiteServiceProxy.aspx", "signout.aspx"))) or + + (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and + not file.name : "TimeoutLogoff.aspx") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc new file mode 100644 index 0000000000..0a69b034fd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-microsoft-exchange-worker-spawning-suspicious-processes]] +=== Microsoft Exchange Worker Spawning Suspicious Processes + +Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities +* https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or + process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-iis-connection-strings-decryption.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-iis-connection-strings-decryption.asciidoc new file mode 100644 index 0000000000..bae488a501 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-iis-connection-strings-decryption.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-microsoft-iis-connection-strings-decryption]] +=== Microsoft IIS Connection Strings Decryption + +Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/ +* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "aspnet_regiis.exe" or process.pe.original_file_name == "aspnet_regiis.exe") and + process.args : "connectionStrings" and process.args : "-pdf" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-iis-service-account-password-dumped.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-iis-service-account-password-dumped.asciidoc new file mode 100644 index 0000000000..71db99d335 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-iis-service-account-password-dumped.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-microsoft-iis-service-account-password-dumped]] +=== Microsoft IIS Service Account Password Dumped + +Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and + process.args : "/list" and process.args : "/text*password" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-windows-defender-tampering.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-windows-defender-tampering.asciidoc new file mode 100644 index 0000000000..6aefd32ab4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-microsoft-windows-defender-tampering.asciidoc @@ -0,0 +1,156 @@ +[[prebuilt-rule-7-16-4-microsoft-windows-defender-tampering]] +=== Microsoft Windows Defender Tampering + +Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +* https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html +* https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html +* https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html +* https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html +* https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html +* https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html +* https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Microsoft Windows Defender Tampering + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple +environments. Disabling it is a common step in threat actor playbooks. + +This rule monitors the registry for modifications that disable Windows Defender features. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate +software installations. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine which features have been disabled, and check if this operation is done under change management and approved +according to the organization's policy. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, +the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), +and no other suspicious activity has been observed. + +### Related rules + +- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb +- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Take actions to restore the appropriate Windows Defender antivirus configurations. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type in ("creation", "change") and + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Features\\TamperProtection" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIntrusionPreventionSystem" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScriptScanning" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Reporting\\DisableEnhancedNotifications" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\DisableBlockAtFirstSeen" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpynetReporting" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SubmitSamplesConsent" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" and + registry.data.strings : ("1", "0x00000001")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mimikatz-memssp-log-file-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mimikatz-memssp-log-file-detected.asciidoc new file mode 100644 index 0000000000..09ebe13490 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mimikatz-memssp-log-file-detected.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-7-16-4-mimikatz-memssp-log-file-detected]] +=== Mimikatz Memssp Log File Detected + +Identifies the password log file from the default Mimikatz memssp module. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Mimikatz Memssp Log File Detected + +[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached +credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained +an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects +such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network. + +This rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp +module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer +account password, running service credentials, and any accounts that logon. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target +host. +- Retrieve and inspect the log file contents. +- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files. + - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + - Identify the process that created the DLL using file creation events. + +### False positive analysis + +- This file name `mimilsa.log` should not legitimately be created. + +### Related rules + +- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the host is a Domain Controller (DC): + - Activate your incident response plan for total Active Directory compromise. + - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is + being followed and reduce the attack surface. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Reboot the host to remove the injected SSP from memory. +- Reimage the host operating system or restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where file.name : "mimilsa.log" and process.name : "lsass.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-amsienable-registry-key.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-amsienable-registry-key.asciidoc new file mode 100644 index 0000000000..ca74c40f3c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-amsienable-registry-key.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-7-16-4-modification-of-amsienable-registry-key]] +=== Modification of AmsiEnable Registry Key + +Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf +* https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Modification of AmsiEnable Registry Key + +The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and +services to integrate with any antimalware product that's present on a machine. AMSI provides integration with multiple +Windows components, ranging from User Account Control (UAC) to VBA Macros. + +Since AMSI is widely used across security products for increased visibility, attackers can disable it to evade +detections that rely on it. + +This rule monitors the modifications to the Software\Microsoft\Windows Script\Settings\AmsiEnable registry key. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the execution of scripts and macros after the registry modification. +- Retrieve scripts or Microsoft Office files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences on other hosts. + +### False positive analysis + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and +monitored by the security team, as these modifications expose the host to malware infections. + +### Related rules + +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Delete or set the key to its default value. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type in ("creation", "change") and + registry.path : ( + "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", + "HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" + ) and + registry.data.strings: ("0", "0x00000000") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-boot-configuration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-boot-configuration.asciidoc new file mode 100644 index 0000000000..586a5bbc19 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-boot-configuration.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-7-16-4-modification-of-boot-configuration]] +=== Modification of Boot Configuration + +Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Impact + +*Version*: 14 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Modification of Boot Configuration + +Boot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. +These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to +configure these. + +This rule identifies the usage of `bcdedit.exe` to: + +- Disable Windows Error Recovery (recoveryenabled). +- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures). + +These are common steps in destructive attacks by adversaries leveraging ransomware. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check if any files on the host machine have been encrypted. + +### False positive analysis + +- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a +machine to boot for troubleshooting or data recovery purposes. + +### Related rules + +- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look +for ransomware preparation and execution activities. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "bcdedit.exe" or process.pe.original_file_name == "bcdedit.exe") and + ( + (process.args : "/set" and process.args : "bootstatuspolicy" and process.args : "ignoreallfailures") or + (process.args : "no" and process.args : "recoveryenabled") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.asciidoc new file mode 100644 index 0000000000..7ea85acac9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl]] +=== Modification of Environment Variable via Launchctl + +Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:start and + process.name:launchctl and + process.args:(setenv and not (JAVA*_HOME or + RUNTIME_JAVA_HOME or + DBUS_LAUNCHD_SESSION_BUS_SOCKET or + ANT_HOME or + LG_WEBOS_TV_SDK_HOME or + WEBOS_CLI_TV or + EDEN_ENV) + ) and + not process.parent.executable:("/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or + "/usr/local/bin/kr" or + "/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or + "/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper") and + not process.args : "*.vmoptions" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Path Interception by PATH Environment Variable +** ID: T1574.007 +** Reference URL: https://attack.mitre.org/techniques/T1574/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-openssh-binaries.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-openssh-binaries.asciidoc new file mode 100644 index 0000000000..3235a39e6c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-openssh-binaries.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-modification-of-openssh-binaries]] +=== Modification of OpenSSH Binaries + +Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Credential Access +* Persistence + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and event.type:change and + process.name:* and + (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and + not process.name:("dpkg" or "yum" or "dnf" or "dnf-automatic") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-wdigest-security-provider.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-wdigest-security-provider.asciidoc new file mode 100644 index 0000000000..9d3ae4c9aa --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-of-wdigest-security-provider.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-7-16-4-modification-of-wdigest-security-provider]] +=== Modification of WDigest Security Provider + +Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html +* https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019 +* https://frsecure.com/compromised-credentials-response-playbook + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Modification of WDigest Security Provider + +In Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send +cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications +based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, +which is no longer the case with newer Windows versions. + +Still, attackers can force WDigest to store the passwords insecurely on the memory by modifying the +`HKLM\SYSTEM\*ControlSet*\Control\SecurityProviders\WDigest\UseLogonCredential` registry key. This activity is +commonly related to the execution of credential dumping tools. + +#### Possible investigation steps + +- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should +treat any activity triggered from this rule with high priority as it typically represents an active adversary. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences on other hosts. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target +host after the registry modification. + +### False positive analysis + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and +monitored by the security team, as these modifications expose the entire domain to credential compromises and +consequently unauthorized access. + +### Related rules + +- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type : ("creation", "change") and + registry.path : + "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" + and registry.data.strings : ("1", "0x00000001") and + not (process.executable : "?:\\Windows\\System32\\svchost.exe" and user.id : "S-1-5-18") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc new file mode 100644 index 0000000000..11ae7d70fd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-modification-or-removal-of-an-okta-application-sign-on-policy]] +=== Modification or Removal of an Okta Application Sign-On Policy + +Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access +* Persistence + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mounting-hidden-or-webdav-remote-shares.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mounting-hidden-or-webdav-remote-shares.asciidoc new file mode 100644 index 0000000000..cf4a2be72a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mounting-hidden-or-webdav-remote-shares.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-7-16-4-mounting-hidden-or-webdav-remote-shares]] +=== Mounting Hidden or WebDav Remote Shares + +Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and + not process.parent.name : "net.exe")) and + process.args : "use" and + /* including hidden and webdav based online shares such as onedrive */ + process.args : ("\\\\*\\*$*", "\\\\*@SSL\\*", "http*") and + /* excluding shares deletion operation */ + not process.args : "/d*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-ms-office-macro-security-registry-modifications.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-ms-office-macro-security-registry-modifications.asciidoc new file mode 100644 index 0000000000..27be6d9870 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-ms-office-macro-security-registry-modifications.asciidoc @@ -0,0 +1,152 @@ +[[prebuilt-rule-7-16-4-ms-office-macro-security-registry-modifications]] +=== MS Office Macro Security Registry Modifications + +Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating MS Office Macro Security Registry Modifications + +Macros are small programs that are used to automate repetitive tasks in Microsoft Office applications. +Historically, macros have been used for a variety of reasons -- from automating part of a job, to +building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as +part of Microsoft Office files. + +Macros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a +system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros +is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or +spear phishing campaigns. + +Attackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and +no warnings are displayed when they are executed. These settings include: + +* *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code +without showing a security warning or requiring user permission. +* *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security +warning or requiring user permission. + +This rule looks for registry changes affecting the conditions above. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user and check if the change was done manually. +- Verify whether malicious macros were executed after the registry change. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve recently executed Office documents and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true +positives (B-TPs), as this configuration can put the user and the domain at risk. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Reset the registry key value. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Explore using GPOs to manage security settings for Microsoft Office macros. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type == "change" and + registry.path : ( + "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM", + "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings" + ) and + registry.data.strings == "0x00000001" and + process.name : ("cscript.exe", "wscript.exe", "mshta.exe", "mshta.exe", "winword.exe", "excel.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mshta-making-network-connections.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mshta-making-network-connections.asciidoc new file mode 100644 index 0000000000..7c34f9f832 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-mshta-making-network-connections.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-mshta-making-network-connections]] +=== Mshta Making Network Connections + +Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=10m + [process where event.type in ("start", "process_started") and process.name : "mshta.exe" and + not process.parent.name : "Microsoft.ConfigurationManagement.exe" and + not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or + process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and + not process.args : "ADSelfService_Enroll.hta"] + [network where process.name : "mshta.exe"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-multi-factor-authentication-disabled-for-an-azure-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-multi-factor-authentication-disabled-for-an-azure-user.asciidoc new file mode 100644 index 0000000000..77d73c8fbc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-multi-factor-authentication-disabled-for-an-azure-user.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-7-16-4-multi-factor-authentication-disabled-for-an-azure-user]] +=== Multi-Factor Authentication Disabled for an Azure User + +Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Multi-Factor Authentication Disabled for an Azure User + +Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form +of identification, such as a code on their cellphone or a fingerprint scan. + +If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or +has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, +security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate. + +For more information about using MFA in Azure AD, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication). + +This rule identifies the deactivation of MFA for an Azure user account. This modification weakens account security +and can lead to the compromise of accounts and other assets. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- While this activity can be done by administrators, all users must use MFA. The security team should address any +potential benign true positive (B-TP), as this configuration can risk the user and domain. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Reactivate multi-factor authentication for the user. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security defaults [provided by Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-netcat-network-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-netcat-network-activity.asciidoc new file mode 100644 index 0000000000..e17673f05f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-netcat-network-activity.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-7-16-4-netcat-network-activity]] +=== Netcat Network Activity + +A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet +* https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf +* https://en.wikipedia.org/wiki/Netcat + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Execution + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or + process.name == "netcat.openbsd" or process.name == "netcat.traditional") and + event.type == "start"] + [network where (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or + process.name == "netcat.openbsd" or process.name == "netcat.traditional")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-certutil.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-certutil.asciidoc new file mode 100644 index 0000000000..0d87d01077 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-certutil.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-7-16-4-network-connection-via-certutil]] +=== Network Connection via Certutil + +Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml +* https://frsecure.com/malware-incident-response-playbook/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Command and Control + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Network Connection via Certutil + +Attackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources +in order to take the next steps in a compromised environment. + +This rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in +[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml) + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate if the downloaded file was executed. +- Determine the context in which `certutil.exe` and the file were run. +- Retrieve the downloaded file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified +anything suspicious, this alert can be closed as a false positive. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination +of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where process.name : "certutil.exe" and event.type == "start"] + [network where process.name : "certutil.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", + "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", + "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-compiled-html-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-compiled-html-file.asciidoc new file mode 100644 index 0000000000..5f2e0679ed --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-compiled-html-file.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-network-connection-via-compiled-html-file]] +=== Network Connection via Compiled HTML File + +Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where process.name : "hh.exe" and event.type == "start"] + [network where process.name : "hh.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Compiled HTML File +** ID: T1218.001 +** Reference URL: https://attack.mitre.org/techniques/T1218/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-registration-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-registration-utility.asciidoc new file mode 100644 index 0000000000..27c2579b56 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-registration-utility.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-7-16-4-network-connection-via-registration-utility]] +=== Network Connection via Registration Utility + +Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 14 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where event.type == "start" and + process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe") and + not ( + (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and + (process.parent.name : "msiexec.exe" or process.parent.executable : ("C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe")) + ) + ] + [network where process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe") and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8") and network.protocol != "dns"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-signed-binary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-signed-binary.asciidoc new file mode 100644 index 0000000000..1f9f4a1d82 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-network-connection-via-signed-binary.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-network-connection-via-signed-binary]] +=== Network Connection via Signed Binary + +Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where (process.name : "expand.exe" or process.name : "extrac32.exe" or + process.name : "ieexec.exe" or process.name : "makecab.exe") and + event.type == "start"] + [network where (process.name : "expand.exe" or process.name : "extrac32.exe" or + process.name : "ieexec.exe" or process.name : "makecab.exe") and + not cidrmatch(destination.ip, + "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", + "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", + "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-new-activesyncalloweddeviceid-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-new-activesyncalloweddeviceid-added-via-powershell.asciidoc new file mode 100644 index 0000000000..ad1933617e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-new-activesyncalloweddeviceid-added-via-powershell.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-new-activesyncalloweddeviceid-added-via-powershell]] +=== New ActiveSyncAllowedDeviceID Added via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Email Delegate Permissions +** ID: T1098.002 +** Reference URL: https://attack.mitre.org/techniques/T1098/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-new-or-modified-federation-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-new-or-modified-federation-domain.asciidoc new file mode 100644 index 0000000000..cfceb64cb4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-new-or-modified-federation-domain.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-7-16-4-new-or-modified-federation-domain]] +=== New or Modified Federation Domain + +Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps +* https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps +* https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps +* https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps +* https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0 + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or +"Set-MsolDomainFederationSettings" or "Add-FederatedDomain" or "New-AcceptedDomain" or "Remove-AcceptedDomain" or "Remove-FederatedDomain") and +event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Domain Policy Modification +** ID: T1484 +** Reference URL: https://attack.mitre.org/techniques/T1484/ +* Sub-technique: +** Name: Domain Trust Modification +** ID: T1484.002 +** Reference URL: https://attack.mitre.org/techniques/T1484/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-nping-process-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-nping-process-activity.asciidoc new file mode 100644 index 0000000000..3ba17bc2c9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-nping-process-activity.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-7-16-4-nping-process-activity]] +=== Nping Process Activity + +Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://en.wikipedia.org/wiki/Nmap + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Discovery + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and process.name:nping + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-ntds-or-sam-database-file-copied.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-ntds-or-sam-database-file-copied.asciidoc new file mode 100644 index 0000000000..331b84b768 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-ntds-or-sam-database-file-copied.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-7-16-4-ntds-or-sam-database-file-copied]] +=== NTDS or SAM Database File Copied + +Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ +* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 9 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ( + (process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and + process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") + ) or + (process.pe.original_file_name : "esentutl.exe" and process.args : ("*/y*", "*/vss*", "*/d*")) + ) and + process.args : ("*\\ntds.dit", "*\\config\\SAM", "\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-email-reported-by-user-as-malware-or-phish.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-email-reported-by-user-as-malware-or-phish.asciidoc new file mode 100644 index 0000000000..15b382b863 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-email-reported-by-user-as-malware-or-phish.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-o365-email-reported-by-user-as-malware-or-phish]] +=== O365 Email Reported by User as Malware or Phish + +Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Initial Access + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-excessive-single-sign-on-logon-errors.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-excessive-single-sign-on-logon-errors.asciidoc new file mode 100644 index 0000000000..2ee54b3a6a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-excessive-single-sign-on-logon-errors.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-7-16-4-o365-excessive-single-sign-on-logon-errors]] +=== O365 Excessive Single Sign-On Logon Errors + +Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 7 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-exchange-suspicious-mailbox-right-delegation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-exchange-suspicious-mailbox-right-delegation.asciidoc new file mode 100644 index 0000000000..54cf4fa2fb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-exchange-suspicious-mailbox-right-delegation.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-o365-exchange-suspicious-mailbox-right-delegation]] +=== O365 Exchange Suspicious Mailbox Right Delegation + +Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 5 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and +o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and +not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Email Delegate Permissions +** ID: T1098.002 +** Reference URL: https://attack.mitre.org/techniques/T1098/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-mailbox-audit-logging-bypass.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-mailbox-audit-logging-bypass.asciidoc new file mode 100644 index 0000000000..cd0d57aed5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-o365-mailbox-audit-logging-bypass.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-o365-mailbox-audit-logging-bypass]] +=== O365 Mailbox Audit Logging Bypass + +Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/misconfig/status/1476144066807140355 + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Initial Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-okta-brute-force-or-password-spraying-attack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-okta-brute-force-or-password-spraying-attack.asciidoc new file mode 100644 index 0000000000..6a25b609ab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-okta-brute-force-or-password-spraying-attack.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-okta-brute-force-or-password-spraying-attack]] +=== Okta Brute Force or Password Spraying Attack + +Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.category:authentication and event.outcome:failure + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-okta-user-session-impersonation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-okta-user-session-impersonation.asciidoc new file mode 100644 index 0000000000..eadc9bf669 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-okta-user-session-impersonation.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-7-16-4-okta-user-session-impersonation]] +=== Okta User Session Impersonation + +A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access +* Credential Access + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:user.session.impersonation.initiate + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-onedrive-malware-file-upload.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-onedrive-malware-file-upload.asciidoc new file mode 100644 index 0000000000..c7dcaa4362 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-onedrive-malware-file-upload.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-onedrive-malware-file-upload]] +=== OneDrive Malware File Upload + +Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Taint Shared Content +** ID: T1080 +** Reference URL: https://attack.mitre.org/techniques/T1080/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-outbound-scheduled-task-activity-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-outbound-scheduled-task-activity-via-powershell.asciidoc new file mode 100644 index 0000000000..9bdb28a680 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-outbound-scheduled-task-activity-via-powershell.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-7-16-4-outbound-scheduled-task-activity-via-powershell]] +=== Outbound Scheduled Task Activity via PowerShell + +Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan = 5s + [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] + [network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-peripheral-device-discovery.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-peripheral-device-discovery.asciidoc new file mode 100644 index 0000000000..e02b6a97a0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-peripheral-device-discovery.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-7-16-4-peripheral-device-discovery]] +=== Peripheral Device Discovery + +Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Peripheral Device Discovery + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to +the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable +media. These devices can contain valuable information for attackers. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. +- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage +services. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and + process.args : "fsinfo" and process.args : "drives" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Peripheral Device Discovery +** ID: T1120 +** Reference URL: https://attack.mitre.org/techniques/T1120/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-permission-theft-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-permission-theft-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..5c939a251f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-permission-theft-detected-elastic-endgame.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-7-16-4-permission-theft-detected-elastic-endgame]] +=== Permission Theft - Detected - Elastic Endgame + +Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame +* Threat Detection +* Privilege Escalation + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-permission-theft-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-permission-theft-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..e5d87be5c8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-permission-theft-prevented-elastic-endgame.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-7-16-4-permission-theft-prevented-elastic-endgame]] +=== Permission Theft - Prevented - Elastic Endgame + +Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame +* Threat Detection +* Privilege Escalation + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-bits-job-notify-cmdline.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-bits-job-notify-cmdline.asciidoc new file mode 100644 index 0000000000..83221cd1f1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-bits-job-notify-cmdline.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-7-16-4-persistence-via-bits-job-notify-cmdline]] +=== Persistence via BITS Job Notify Cmdline + +An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pentestlab.blog/2019/10/30/persistence-bits-jobs/ +* https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline +* https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline +* https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.parent.name : "svchost.exe" and process.parent.args : "BITS" and + not process.executable : + ("?:\\Windows\\System32\\WerFaultSecure.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\WINDOWS\\system32\\directxdatabaseupdater.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: BITS Jobs +** ID: T1197 +** Reference URL: https://attack.mitre.org/techniques/T1197/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-directoryservice-plugin-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-directoryservice-plugin-modification.asciidoc new file mode 100644 index 0000000000..90656b3a7f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-directoryservice-plugin-modification.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-7-16-4-persistence-via-directoryservice-plugin-modification]] +=== Persistence via DirectoryService Plugin Modification + +Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/ + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and not event.type:deletion and + file.path:/Library/DirectoryServices/PlugIns/*.dsplug + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-folder-action-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-folder-action-script.asciidoc new file mode 100644 index 0000000000..444cd74400 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-folder-action-script.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-persistence-via-folder-action-script]] +=== Persistence via Folder Action Script + +Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Execution +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid + [process where event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and + not process.args : "/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt" + ] by process.parent.pid + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-hidden-run-key-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-hidden-run-key-detected.asciidoc new file mode 100644 index 0000000000..dd5cfe2aaf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-hidden-run-key-detected.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-7-16-4-persistence-via-hidden-run-key-detected]] +=== Persistence via Hidden Run Key Detected + +Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit). + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/outflanknl/SharpHide +* https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +/* Registry Path ends with backslash */ +registry where /* length(registry.data.strings) > 0 and */ + registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", + "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc new file mode 100644 index 0000000000..8387c931be --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc @@ -0,0 +1,88 @@ +[[prebuilt-rule-7-16-4-persistence-via-kde-autostart-script-or-desktop-file-modification]] +=== Persistence via KDE AutoStart Script or Desktop File Modification + +Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://userbase.kde.org/System_Settings/Autostart +* https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/ +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Persistence + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and + file.extension in ("sh", "desktop") and + file.path : + ( + "/home/*/.config/autostart/*", "/root/.config/autostart/*", + "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*", + "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*", + "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*", + "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*", + "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", + "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", + "/etc/xdg/autostart/*", "/usr/share/autostart/*" + ) and + not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-login-or-logout-hook.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-login-or-logout-hook.asciidoc new file mode 100644 index 0000000000..efb14de6bc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-login-or-logout-hook.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-persistence-via-login-or-logout-hook]] +=== Persistence via Login or Logout Hook + +Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf +* https://www.manpagez.com/man/1/defaults/ + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.name == "defaults" and process.args == "write" and process.args in ("LoginHook", "LogoutHook") and + not process.args : + ( + "Support/JAMF/ManagementFrameworkScripts/logouthook.sh", + "Support/JAMF/ManagementFrameworkScripts/loginhook.sh", + "/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh", + "/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-microsoft-office-addins.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-microsoft-office-addins.asciidoc new file mode 100644 index 0000000000..63f252d056 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-microsoft-office-addins.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-persistence-via-microsoft-office-addins]] +=== Persistence via Microsoft Office AddIns + +Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and + file.extension : ("wll","xll","ppa","ppam","xla","xlam") and + file.path : + ( + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Office Application Startup +** ID: T1137 +** Reference URL: https://attack.mitre.org/techniques/T1137/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-microsoft-outlook-vba.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-microsoft-outlook-vba.asciidoc new file mode 100644 index 0000000000..c5b5ce8d1e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-microsoft-outlook-vba.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-persistence-via-microsoft-outlook-vba]] +=== Persistence via Microsoft Outlook VBA + +Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +* https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and + file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Office Application Startup +** ID: T1137 +** Reference URL: https://attack.mitre.org/techniques/T1137/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-scheduled-job-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-scheduled-job-creation.asciidoc new file mode 100644 index 0000000000..da2540d1f3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-scheduled-job-creation.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-persistence-via-scheduled-job-creation]] +=== Persistence via Scheduled Job Creation + +A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and + file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc new file mode 100644 index 0000000000..8d90ffbde8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-7-16-4-persistence-via-telemetrycontroller-scheduled-task-hijack]] +=== Persistence via TelemetryController Scheduled Task Hijack + +Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and + not process.name : ("conhost.exe", + "DeviceCensus.exe", + "CompatTelRunner.exe", + "DismHost.exe", + "rundll32.exe", + "powershell.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-update-orchestrator-service-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-update-orchestrator-service-hijack.asciidoc new file mode 100644 index 0000000000..c44fc0c5f7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-update-orchestrator-service-hijack.asciidoc @@ -0,0 +1,94 @@ +[[prebuilt-rule-7-16-4-persistence-via-update-orchestrator-service-hijack]] +=== Persistence via Update Orchestrator Service Hijack + +Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/irsl/CVE-2020-1313 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence +* CVE-2020-1313 + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and + process.parent.args : "UsoSvc" and + not process.executable : + ("?:\\ProgramData\\Microsoft\\Windows\\UUS\\Packages\\*\\amd64\\MoUsoCoreWorker.exe", + "?:\\Windows\\System32\\UsoClient.exe", + "?:\\Windows\\System32\\MusNotification.exe", + "?:\\Windows\\System32\\MusNotificationUx.exe", + "?:\\Windows\\System32\\MusNotifyIcon.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\WerMgr.exe", + "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe", + "?:\\Windows\\System32\\MoUsoCoreWorker.exe", + "?:\\Windows\\UUS\\amd64\\UsoCoreWorker.exe", + "?:\\Windows\\System32\\UsoCoreWorker.exe", + "?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-wmi-event-subscription.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-wmi-event-subscription.asciidoc new file mode 100644 index 0000000000..50c4f0e249 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistence-via-wmi-event-subscription.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-persistence-via-wmi-event-subscription]] +=== Persistence via WMI Event Subscription + +An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and + process.args : "create" and + process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Windows Management Instrumentation Event Subscription +** ID: T1546.003 +** Reference URL: https://attack.mitre.org/techniques/T1546/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistent-scripts-in-the-startup-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistent-scripts-in-the-startup-directory.asciidoc new file mode 100644 index 0000000000..9faacdfe9a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-persistent-scripts-in-the-startup-directory.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-7-16-4-persistent-scripts-in-the-startup-directory]] +=== Persistent Scripts in the Startup Directory + +Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Persistent Scripts in the Startup Directory + +The Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account +logon, without user interaction, providing an excellent way for attackers to maintain persistence. + +This rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate +software installations. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff +- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and user.domain != "NT AUTHORITY" and + + /* detect shortcuts created by wscript.exe or cscript.exe */ + (file.path : "C:\\*\\Programs\\Startup\\*.lnk" and + process.name : ("wscript.exe", "cscript.exe")) or + + /* detect vbs or js files created by any process */ + file.path : ("C:\\*\\Programs\\Startup\\*.vbs", + "C:\\*\\Programs\\Startup\\*.vbe", + "C:\\*\\Programs\\Startup\\*.wsh", + "C:\\*\\Programs\\Startup\\*.wsf", + "C:\\*\\Programs\\Startup\\*.js") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-port-forwarding-rule-addition.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-port-forwarding-rule-addition.asciidoc new file mode 100644 index 0000000000..9a1b39199b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-port-forwarding-rule-addition.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-7-16-4-port-forwarding-rule-addition]] +=== Port Forwarding Rule Addition + +Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Command and Control + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Port Forwarding Rule Addition + +Network port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to +any other port number, or even to a port on a remote computer. + +Attackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box +to access previously unreachable systems. + +This rule monitors the modifications to the `HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\` subkeys. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Identify the target host IP address, check the connections originating from the host where the modification occurred, +and inspect the credentials used. + - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity +and there are justifications for this configuration. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination +of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Delete the port forwarding rule. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-possible-consent-grant-attack-via-azure-registered-application.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-possible-consent-grant-attack-via-azure-registered-application.asciidoc new file mode 100644 index 0000000000..a409269f87 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-possible-consent-grant-attack-via-azure-registered-application.asciidoc @@ -0,0 +1,151 @@ +[[prebuilt-rule-7-16-4-possible-consent-grant-attack-via-azure-registered-application]] +=== Possible Consent Grant Attack via Azure-Registered Application + +Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide +* https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/ +* https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Possible Consent Grant Attack via Azure-Registered Application + +In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data +such as contact information, email, or documents. The attacker then tricks an end user into granting that application +consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. +After the illicit application has been granted consent, it has account-level access to data without the need for an +organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor +authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications +and are external to the organization. + +Official Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants). + +#### Possible investigation steps + +- From the Azure AD portal, Review the application that was granted permissions: + - Click on the `Review permissions` button on the `Permissions` blade of the application. + - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky. + - Apps that require high privileges or admin consent are more likely to be risky. +- Investigate the app and the publisher. The following characteristics can indicate suspicious apps: + - A low number of downloads. + - Low rating or score or bad comments. + - Apps with a suspicious publisher or website. + - Apps whose last update is not recent. This might indicate an app that is no longer supported. +- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected. + +### False positive analysis + +- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. +Thus, analysts must review each app consent to ensure that only desired apps are granted access. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Disable the malicious application to stop user access and the application access to your data. +- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete +this task. +- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be +used to complete this task. +- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task. +- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss +incident response playbook. +- Disable the permission for a user to set consent permission on their behalf. + - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and + ( + azure.activitylogs.operation_name:"Consent to application" or + azure.auditlogs.operation_name:"Consent to application" or + o365.audit.Operation:"Consent to application." + ) and + event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Application Access Token +** ID: T1528 +** Reference URL: https://attack.mitre.org/techniques/T1528/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-possible-okta-dos-attack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-possible-okta-dos-attack.asciidoc new file mode 100644 index 0000000000..5543494a06 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-possible-okta-dos-attack.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-possible-okta-dos-attack]] +=== Possible Okta DoS Attack + +Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Network Denial of Service +** ID: T1498 +** Reference URL: https://attack.mitre.org/techniques/T1498/ +* Technique: +** Name: Endpoint Denial of Service +** ID: T1499 +** Reference URL: https://attack.mitre.org/techniques/T1499/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-abuse-of-repeated-mfa-push-notifications.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-abuse-of-repeated-mfa-push-notifications.asciidoc new file mode 100644 index 0000000000..1a4aeb2313 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-abuse-of-repeated-mfa-push-notifications.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-potential-abuse-of-repeated-mfa-push-notifications]] +=== Potential Abuse of Repeated MFA Push Notifications + +Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mandiant.com/resources/russian-targeting-gov-business + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by user.email with maxspan=10m + [any where event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"] + [any where event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"] + [any where event.module == "okta" and event.action == "user.authentication.sso"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-application-shimming-via-sdbinst.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-application-shimming-via-sdbinst.asciidoc new file mode 100644 index 0000000000..b1dc327a7b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-application-shimming-via-sdbinst.asciidoc @@ -0,0 +1,88 @@ +[[prebuilt-rule-7-16-4-potential-application-shimming-via-sdbinst]] +=== Potential Application Shimming via Sdbinst + +The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.name : "sdbinst.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Application Shimming +** ID: T1546.011 +** Reference URL: https://attack.mitre.org/techniques/T1546/011/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Application Shimming +** ID: T1546.011 +** Reference URL: https://attack.mitre.org/techniques/T1546/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-cookies-theft-via-browser-debugging.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-cookies-theft-via-browser-debugging.asciidoc new file mode 100644 index 0000000000..f0fc622355 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-cookies-theft-via-browser-debugging.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-7-16-4-potential-cookies-theft-via-browser-debugging]] +=== Potential Cookies Theft via Browser Debugging + +Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access to web applications or internet services as an authenticated user without needing credentials. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://github.com/defaultnamehere/cookie_crimes +* https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/ +* https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md +* https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e + +*Tags*: + +* Elastic +* Host +* Linux +* Windows +* macOS +* Threat Detection +* Credential Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started", "info") and + process.name in ( + "Microsoft Edge", + "chrome.exe", + "Google Chrome", + "google-chrome-stable", + "google-chrome-beta", + "google-chrome", + "msedge.exe") and + process.args : ("--remote-debugging-port=*", + "--remote-debugging-targets=*", + "--remote-debugging-pipe=*") and + process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-dcsync.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-dcsync.asciidoc new file mode 100644 index 0000000000..b9f7de57af --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-dcsync.asciidoc @@ -0,0 +1,174 @@ +[[prebuilt-rule-7-16-4-potential-credential-access-via-dcsync]] +=== Potential Credential Access via DCSync + +This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html +* https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md +* https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync +* https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access +* Active Directory + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Credential Access via DCSync + +Active Directory replication is the process by which the changes that originate on one domain controller are +automatically transferred to other domain controllers that store the same data. + +Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object +class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are +defined by the values of their attributes, and changes to attribute values must be transferred from the domain +controller on which they occur to every other domain controller that stores a replica of an affected object. + +Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process +from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used +legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges +to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of +the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused +to grant controlled objects the right to DCsync/Replicate. + +More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync). + +This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that +use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent: +Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). +It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)). + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller +(DC) that received the replication request. This will tell you where the AD replication request came from, and if it +came from another DC or not. +- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones). + +### False positive analysis + +- This activity should not happen legitimately, since replication should be done by Domain Controllers only. Any +potential benign true positive (B-TP) should be mapped and monitored by the security team. Any account that performs +this activity can put the domain at risk for not having the same security standards as computer accounts (which have +long, complex, random passwords that change frequently), exposing it to credential cracking attacks (Kerberoasting, +brute force, etc.). + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If specific credentials were compromised: + - Reset the password for these accounts and other potentially compromised credentials, like email, business systems, + and web services. +- If the entire domain or the `krbtgt` user were compromised: + - Activate your incident response plan for total Active Directory compromise which should include, but not be limited + to, a password reset (twice) of the `krbtgt` user. +- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this +information to scope ways that the attacker could use to regain access to the environment. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where event.action == "Directory Service Access" and + event.code == "4662" and winlog.event_data.Properties : ( + + /* Control Access Rights/Permissions Symbol */ + + "*DS-Replication-Get-Changes*", + "*DS-Replication-Get-Changes-All*", + "*DS-Replication-Get-Changes-In-Filtered-Set*", + + /* Identifying GUID used in ACE */ + + "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", + "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", + "*89e95b76-444d-4c62-991a-0facbeda640c*") + + /* The right to perform an operation controlled by an extended access right. */ + + and winlog.event_data.AccessMask : "0x100" and + not winlog.event_data.SubjectUserName : ("*$", "MSOL_*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: DCSync +** ID: T1003.006 +** Reference URL: https://attack.mitre.org/techniques/T1003/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc new file mode 100644 index 0000000000..4220d44581 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-7-16-4-potential-credential-access-via-duplicatehandle-in-lsass]] +=== Potential Credential Access via DuplicateHandle in LSASS + +Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/CCob/MirrorDump + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.code == "10" and + + /* LSASS requesting DuplicateHandle access right to another process */ + process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and + + /* call is coming from an unknown executable region */ + winlog.event_data.CallTrace : "*UNKNOWN*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-lsass-memory-dump.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-lsass-memory-dump.asciidoc new file mode 100644 index 0000000000..2541903a78 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-lsass-memory-dump.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-7-16-4-potential-credential-access-via-lsass-memory-dump]] +=== Potential Credential Access via LSASS Memory Dump + +Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.code == "10" and + winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and + + /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/ + winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and + + /* case of lsass crashing */ + not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-renamed-com-services-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-renamed-com-services-dll.asciidoc new file mode 100644 index 0000000000..d90878ebaa --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-renamed-com-services-dll.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-7-16-4-potential-credential-access-via-renamed-com-services-dll]] +=== Potential Credential Access via Renamed COM+ Services DLL + +Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original +File Name. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m + [process where event.category == "process" and + process.name : "rundll32.exe"] + [process where event.category == "process" and event.dataset : "windows.sysmon_operational" and event.code == "7" and + (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and + /* renamed COMSVCS */ + not file.name : "COMSVCS.DLL"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-trusted-developer-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-trusted-developer-utility.asciidoc new file mode 100644 index 0000000000..417be2d542 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-trusted-developer-utility.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-7-16-4-potential-credential-access-via-trusted-developer-utility]] +=== Potential Credential Access via Trusted Developer Utility + +An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Credential Access via Trusted Developer Utility + +The Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML +schema for a project file that controls how the build platform processes and builds software. + +Adversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was +introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will +compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass +application control defenses that are configured to allow `MSBuild.exe` execution. + +This rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of +credential access activities. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to identify the `.csproj` file location. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target +host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")] + [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : ("vaultcli.dll", "SAMLib.DLL") or file.name : ("vaultcli.dll", "SAMLib.DLL"))] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-windows-utilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-windows-utilities.asciidoc new file mode 100644 index 0000000000..3617662fc8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-credential-access-via-windows-utilities.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-7-16-4-potential-credential-access-via-windows-utilities]] +=== Potential Credential Access via Windows Utilities + +Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Credential Access via Windows Utilities + +Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible +for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles +password changes, and creates access tokens. + +The `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and +group membership. + +This rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active +Directory `Ntds.dit` file. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to identify what information was targeted. +- Identify the target computer and its role in the IT environment. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious +must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If the host is a domain controller (DC): + - Activate your incident response plan for total Active Directory compromise. + - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is + being followed and to reduce the attack surface. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and +/* update here with any new lolbas with dump capability */ +(process.pe.original_file_name == "procdump" and process.args : "-ma") or +(process.name : "ProcessDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Cisco Systems\\.*""") or +(process.pe.original_file_name == "WriteMiniDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Steam\\.*""") or +(process.pe.original_file_name == "RUNDLL32.EXE" and (process.args : "MiniDump*" or process.command_line : "*comsvcs.dll*#24*")) or +(process.pe.original_file_name == "RdrLeakDiag.exe" and process.args : "/fullmemdmp") or +(process.pe.original_file_name == "SqlDumper.exe" and process.args : "0x01100*") or +(process.pe.original_file_name == "TTTracer.exe" and process.args : "-dumpFull" and process.args : "-attach") or +(process.pe.original_file_name == "ntdsutil.exe" and process.args : "create*full*") or +(process.pe.original_file_name == "diskshadow.exe" and process.args : "/s") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Sub-technique: +** Name: NTDS +** ID: T1003.003 +** Reference URL: https://attack.mitre.org/techniques/T1003/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-dll-side-loading-via-microsoft-antimalware-service-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-dll-side-loading-via-microsoft-antimalware-service-executable.asciidoc new file mode 100644 index 0000000000..4cb1119a68 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-dll-side-loading-via-microsoft-antimalware-service-executable.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-potential-dll-side-loading-via-microsoft-antimalware-service-executable]] +=== Potential DLL Side-Loading via Microsoft Antimalware Service Executable + +Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Elastic +* Dennis Perto + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.pe.original_file_name == "MsMpEng.exe" and not process.name : "MsMpEng.exe") or + (process.name : "MsMpEng.exe" and not + process.executable : ("?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe", + "?:\\Program Files\\Windows Defender\\*.exe", + "?:\\Program Files (x86)\\Windows Defender\\*.exe", + "?:\\Program Files\\Microsoft Security Client\\*.exe", + "?:\\Program Files (x86)\\Microsoft Security Client\\*.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-dll-sideloading-via-trusted-microsoft-programs.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-dll-sideloading-via-trusted-microsoft-programs.asciidoc new file mode 100644 index 0000000000..d37eba578c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-dll-sideloading-via-trusted-microsoft-programs.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-potential-dll-sideloading-via-trusted-microsoft-programs]] +=== Potential DLL SideLoading via Trusted Microsoft Programs + +Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and + not (process.name : ("winword.exe", "explorer.exe", "w3wp.exe", "Dism.exe") or + process.executable : ("?:\\Windows\\explorer.exe", + "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", + "?:\\Program Files?(x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", + "?:\\Windows\\System32\\Dism.exe", + "?:\\Windows\\SysWOW64\\Dism.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-dns-tunneling-via-iodine.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-dns-tunneling-via-iodine.asciidoc new file mode 100644 index 0000000000..40d7772644 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-dns-tunneling-via-iodine.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-7-16-4-potential-dns-tunneling-via-iodine]] +=== Potential DNS Tunneling via Iodine + +Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://code.kryo.se/iodine/ + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Command and Control + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-evasion-via-filter-manager.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-evasion-via-filter-manager.asciidoc new file mode 100644 index 0000000000..7aa668d520 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-evasion-via-filter-manager.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-potential-evasion-via-filter-manager]] +=== Potential Evasion via Filter Manager + +The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : "fltMC.exe" and process.args : "unload" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-invoke-mimikatz-powershell-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-invoke-mimikatz-powershell-script.asciidoc new file mode 100644 index 0000000000..c9a729f93d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-invoke-mimikatz-powershell-script.asciidoc @@ -0,0 +1,160 @@ +[[prebuilt-rule-7-16-4-potential-invoke-mimikatz-powershell-script]] +=== Potential Invoke-Mimikatz PowerShell Script + +Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/software/S0002/ +* https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Mimikatz PowerShell Activity + +[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached +credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained +an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects +such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network. + +This rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump +credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be +treated with high priority as it typically represents an active adversary. + +More information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821). + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the + "Related Rules" section. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the +target host. + - Examine network and security events in the environment to identify potential lateral movement using compromised credentials. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6 +- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Validate that cleartext passwords are disabled in memory for use with `WDigest`. +- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide +this capability. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be configured (Enable). + +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and +powershell.file.script_block_text:( + (DumpCreds and + DumpCerts) or + "sekurlsa::logonpasswords" or + ("crypto::certificates" and + "CERT_SYSTEM_STORE_LOCAL_MACHINE") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc new file mode 100644 index 0000000000..dd66345de2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-potential-lsass-clone-creation-via-psscapturesnapshot]] +=== Potential LSASS Clone Creation via PssCaptureSnapShot + +Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ +* https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.code:"4688" and + process.executable : "?:\\Windows\\System32\\lsass.exe" and + process.parent.executable : "?:\\Windows\\System32\\lsass.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc new file mode 100644 index 0000000000..f283300a53 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-potential-lsass-memory-dump-via-psscapturesnapshot]] +=== Potential LSASS Memory Dump via PssCaptureSnapShot + +Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access. + +*Rule type*: threshold + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ +* https://twitter.com/sbousseaden/status/1280619931516747777?lang=en + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold +rule cardinality feature. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.code:10 and + winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\System32\\lsass.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-microsoft-office-sandbox-evasion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-microsoft-office-sandbox-evasion.asciidoc new file mode 100644 index 0000000000..891dbb41dd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-microsoft-office-sandbox-evasion.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-7-16-4-potential-microsoft-office-sandbox-evasion]] +=== Potential Microsoft Office Sandbox Evasion + +Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf +* https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/ +* https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Defense Evasion + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and not event.type:deletion and file.name:~$*.zip and host.os.type:macos + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Virtualization/Sandbox Evasion +** ID: T1497 +** Reference URL: https://attack.mitre.org/techniques/T1497/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-modification-of-accessibility-binaries.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-modification-of-accessibility-binaries.asciidoc new file mode 100644 index 0000000000..011e288c94 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-modification-of-accessibility-binaries.asciidoc @@ -0,0 +1,176 @@ +[[prebuilt-rule-7-16-4-potential-modification-of-accessibility-binaries]] +=== Potential Modification of Accessibility Binaries + +Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/blog/practical-security-engineering-stateful-detection + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Modification of Accessibility Binaries + +Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by +accessibility features. Windows contains accessibility features that may be launched with a key combination before a +user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs +are launched to get a command prompt or backdoor without logging in to the system. + +More details can be found [here](https://attack.mitre.org/techniques/T1546/008/). + +This rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features +binaries' original file names, which is likely a custom binary deployed by the attacker. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive +(B-TP), as this configuration can put the user and the domain at risk. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started", "info") and + process.parent.name : ("Utilman.exe", "winlogon.exe") and user.name == "SYSTEM" and + process.args : + ( + "C:\\Windows\\System32\\osk.exe", + "C:\\Windows\\System32\\Magnify.exe", + "C:\\Windows\\System32\\Narrator.exe", + "C:\\Windows\\System32\\Sethc.exe", + "utilman.exe", + "ATBroker.exe", + "DisplaySwitch.exe", + "sethc.exe" + ) + and not process.pe.original_file_name in + ( + "osk.exe", + "sethc.exe", + "utilman2.exe", + "DisplaySwitch.exe", + "ATBroker.exe", + "ScreenMagnifier.exe", + "SR.exe", + "Narrator.exe", + "magnify.exe", + "MAGNIFY.EXE" + ) + +/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */ +/* and process.code_signature.subject_name == "Microsoft Windows" and process.code_signature.status == "trusted" */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Accessibility Features +** ID: T1546.008 +** Reference URL: https://attack.mitre.org/techniques/T1546/008/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Accessibility Features +** ID: T1546.008 +** Reference URL: https://attack.mitre.org/techniques/T1546/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-openssh-backdoor-logging-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-openssh-backdoor-logging-activity.asciidoc new file mode 100644 index 0000000000..d60e4fd871 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-openssh-backdoor-logging-activity.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-7-16-4-potential-openssh-backdoor-logging-activity]] +=== Potential OpenSSH Backdoor Logging Activity + +Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/eset/malware-ioc/tree/master/sshdoor +* https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Persistence +* Credential Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and + ( + (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history")) or + file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or + file.path : + ( + "/private/etc/*--", + "/usr/share/*", + "/usr/include/*", + "/usr/local/include/*", + "/private/tmp/*", + "/private/var/tmp/*", + "/usr/tmp/*", + "/usr/share/man/*", + "/usr/local/share/*", + "/usr/lib/*.so.*", + "/private/etc/ssh/.sshd_auth", + "/usr/bin/ssd", + "/private/var/opt/power", + "/private/etc/ssh/ssh_known_hosts", + "/private/var/html/lol", + "/private/var/log/utmp", + "/private/var/lib", + "/var/run/sshd/sshd.pid", + "/var/run/nscd/ns.pid", + "/var/run/udev/ud.pid", + "/var/run/udevd.pid" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-password-spraying-of-microsoft-365-user-accounts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-password-spraying-of-microsoft-365-user-accounts.asciidoc new file mode 100644 index 0000000000..406710bbcb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-password-spraying-of-microsoft-365-user-accounts.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-7-16-4-potential-password-spraying-of-microsoft-365-user-accounts]] +=== Potential Password Spraying of Microsoft 365 User Accounts + +Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and +event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-persistence-via-atom-init-script-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-persistence-via-atom-init-script-modification.asciidoc new file mode 100644 index 0000000000..d91686422d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-persistence-via-atom-init-script-modification.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-7-16-4-potential-persistence-via-atom-init-script-modification]] +=== Potential Persistence via Atom Init Script Modification + +Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js +* https://flight-manual.atom.io/hacking-atom/sections/the-init-file/ + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:"file" and not event.type:"deletion" and + file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-persistence-via-login-hook.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-persistence-via-login-hook.asciidoc new file mode 100644 index 0000000000..094901313e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-persistence-via-login-hook.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-potential-persistence-via-login-hook]] +=== Potential Persistence via Login Hook + +Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:"file" and not event.type:"deletion" and + file.name:"com.apple.loginwindow.plist" and + process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or "iMazing Profile Editor" +)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Plist Modification +** ID: T1547.011 +** Reference URL: https://attack.mitre.org/techniques/T1547/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc new file mode 100644 index 0000000000..c35c56d513 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-potential-privacy-control-bypass-via-localhost-secure-copy]] +=== Potential Privacy Control Bypass via Localhost Secure Copy + +Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Privilege Escalation +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name:"scp" and + process.args:"StrictHostKeyChecking=no" and + process.command_line:("scp *localhost:/*", "scp *127.0.0.1:/*") and + not process.args:"vagrant@*127.0.0.1*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privacy-control-bypass-via-tccdb-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privacy-control-bypass-via-tccdb-modification.asciidoc new file mode 100644 index 0000000000..5d18baeea9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privacy-control-bypass-via-tccdb-modification.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-potential-privacy-control-bypass-via-tccdb-modification]] +=== Potential Privacy Control Bypass via TCCDB Modification + +Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/ +* https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh +* https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.name : "sqlite*" and + process.args : "/*/Application Support/com.apple.TCC/TCC.db" and + not process.parent.executable : "/Library/Bitdefender/AVP/product/bin/*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privilege-escalation-via-installerfiletakeover.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privilege-escalation-via-installerfiletakeover.asciidoc new file mode 100644 index 0000000000..a900c7217d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privilege-escalation-via-installerfiletakeover.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-7-16-4-potential-privilege-escalation-via-installerfiletakeover]] +=== Potential Privilege Escalation via InstallerFileTakeOver + +Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/klinix5/InstallerFileTakeOver + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Privilege Escalation via InstallerFileTakeOver + +InstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an +unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY. + +This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself +to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), +which is outside the scope of this rule. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Look for additional processes spawned by the process, command lines, and network communications. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- Verify whether a digital signature exists in the executable, and if it is valid. + +### Related rules + +- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +/* This rule is compatible with both Sysmon and Elastic Endpoint */ + +process where event.type == "start" and + (?process.Ext.token.integrity_level_name : "System" or + ?winlog.event_data.IntegrityLevel : "System") and + ( + (process.name : "elevation_service.exe" and + not process.pe.original_file_name == "elevation_service.exe") or + + (process.parent.name : "elevation_service.exe" and + process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privilege-escalation-via-local-kerberos-relay-over-ldap.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privilege-escalation-via-local-kerberos-relay-over-ldap.asciidoc new file mode 100644 index 0000000000..ca0cc2db2f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privilege-escalation-via-local-kerberos-relay-over-ldap.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-7-16-4-potential-privilege-escalation-via-local-kerberos-relay-over-ldap]] +=== Potential Privilege Escalation via Local Kerberos Relay over LDAP + +Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/Dec0ne/KrbRelayUp +* https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html +* https://github.com/cube0x0/KrbRelay + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation +* Credential Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +authentication where + + /* event 4624 need to be logged */ + event.action == "logged-in" and event.outcome == "success" and + + /* authenticate locally via relayed kerberos ticket */ + winlog.event_data.AuthenticationPackageName : "Kerberos" and winlog.logon.type == "Network" and + source.ip == "127.0.0.1" and source.port > 0 and + + /* Impersonate Administrator user via S4U2Self service ticket */ + winlog.event_data.TargetUserSid : "S-1-5-21-*-500" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc new file mode 100644 index 0000000000..7fc2d35161 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-7-16-4-potential-privileged-escalation-via-samaccountname-spoofing]] +=== Potential Privileged Escalation via SamAccountName Spoofing + +Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e +* https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ +* https://github.com/cube0x0/noPac +* https://twitter.com/exploitph/status/1469157138928914432 +* https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence +* Privilege Escalation + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +iam where event.action == "renamed-user-account" and + /* machine account name renamed to user like account name */ + winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-process-injection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-process-injection-via-powershell.asciidoc new file mode 100644 index 0000000000..9d403bc5f1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-process-injection-via-powershell.asciidoc @@ -0,0 +1,150 @@ +[[prebuilt-rule-7-16-4-potential-process-injection-via-powershell]] +=== Potential Process Injection via PowerShell + +Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1 +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1 +* https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Process Injection via PowerShell + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +PowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, +like the execution of inline C# code, PSReflect, Get-ProcAddress, etc. + +Red Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject +payloads directly into the memory without touching the disk to circumvent file-based security protections. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Check if the imported function was executed and which process it targeted. +- Check if the injected code can be retrieved (hardcoded in the script or on command line logs). + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or + LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and + (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or + SuspendThread or ResumeThread or GetDelegateForFunctionPointer) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Dynamic-link Library Injection +** ID: T1055.001 +** Reference URL: https://attack.mitre.org/techniques/T1055/001/ +* Sub-technique: +** Name: Portable Executable Injection +** ID: T1055.002 +** Reference URL: https://attack.mitre.org/techniques/T1055/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-protocol-tunneling-via-earthworm.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-protocol-tunneling-via-earthworm.asciidoc new file mode 100644 index 0000000000..fb77a96a15 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-protocol-tunneling-via-earthworm.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-potential-protocol-tunneling-via-earthworm]] +=== Potential Protocol Tunneling via EarthWorm + +Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://rootkiter.com/EarthWorm/ +* https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/ + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Command and Control + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.args : "-s" and process.args : "-d" and process.args : "rssocks" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-remote-credential-access-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-remote-credential-access-via-registry.asciidoc new file mode 100644 index 0000000000..933d7aaea1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-remote-credential-access-via-registry.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-7-16-4-potential-remote-credential-access-via-registry]] +=== Potential Remote Credential Access via Registry + +Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement +* Credential Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Remote Credential Access via Registry + +Dumping registry hives is a common way to access credential information. Some hives store credential material, +such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain +cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to +decrypt these secrets. + +Attackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped +credentials to access other systems in the domain. + +#### Possible investigation steps + +- Identify the specifics of the involved assets, such as their role, criticality, and associated users. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Determine the privileges of the compromised accounts. +- Investigate other alerts associated with the user/source host during the past 48 hours. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target +host. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious +must be monitored by the security team. + +### Related rules + +- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine if other hosts were compromised. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Reimage the host operating system or restore the compromised files to clean versions. +- Ensure that the machine has the latest security updates and is not running unsupported Windows versions. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be +collected from the host for this detection to work. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, user.id with maxspan=1m + [authentication where + event.outcome == "success" and event.action == "logged-in" and + winlog.logon.type == "Network" and not user.name == "ANONYMOUS LOGON" and + not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"] + [file where event.action == "creation" and process.name : "svchost.exe" and + file.Ext.header_bytes : "72656766*" and user.id : "S-1-5-21-*" and file.size >= 30000 and + not file.path : + ("?:\\Windows\\system32\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat.LOG?", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat", + "?:\\Users\\*\\ntuser.dat.LOG?", + "?:\\Users\\*\\NTUSER.DAT")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-remote-desktop-shadowing-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-remote-desktop-shadowing-activity.asciidoc new file mode 100644 index 0000000000..6ab48d8749 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-remote-desktop-shadowing-activity.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-7-16-4-potential-remote-desktop-shadowing-activity]] +=== Potential Remote Desktop Shadowing Activity + +Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing +* https://swarm.ptsecurity.com/remote-desktop-services-shadowing/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +/* Identifies the modification of RDP Shadow registry or + the execution of processes indicative of active shadow RDP session */ + +any where + (event.category == "registry" and + registry.path : "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow" + ) or + (event.category == "process" and + (process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or + (process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-remote-desktop-tunneling-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-remote-desktop-tunneling-detected.asciidoc new file mode 100644 index 0000000000..f099c00c23 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-remote-desktop-tunneling-detected.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-7-16-4-potential-remote-desktop-tunneling-detected]] +=== Potential Remote Desktop Tunneling Detected + +Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Command and Control + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Remote Desktop Tunneling Detected + +Protocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, +ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would +filter to reach their destination. + +Attackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP +connections but may be more permissive to other protocols. + +This rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated +with tools that perform tunneling. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine network data to determine if the host communicated with external servers using the tunnel. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. +- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key +modification, etc. Inspect the host to learn which method was used and to determine a response for the case. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + /* RDP port and usual SSH tunneling related switches in command line */ + process.args : "*:3389" and + process.args : ("-L", "-P", "-R", "-pw", "-ssh") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-reverse-shell-activity-via-terminal.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-reverse-shell-activity-via-terminal.asciidoc new file mode 100644 index 0000000000..15251cc854 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-reverse-shell-activity-via-terminal.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-7-16-4-potential-reverse-shell-activity-via-terminal]] +=== Potential Reverse Shell Activity via Terminal + +Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md +* https://github.com/WangYihang/Reverse-Shell-Manager +* https://www.netsparker.com/blog/web-security/understanding-reverse-shells/ + +*Tags*: + +* Elastic +* Host +* Linux +* macOS +* Threat Detection +* Execution + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name in ("sh", "bash", "zsh", "dash", "zmodload") and + process.args : ("*/dev/tcp/*", "*/dev/udp/*", "*zsh/net/tcp*", "*zsh/net/udp*") and + + /* noisy FPs */ + not (process.parent.name : "timeout" and process.executable : "/var/lib/docker/overlay*") and + not process.command_line : ("*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*") and + not process.parent.command_line : "runc init" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-secure-file-deletion-via-sdelete-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-secure-file-deletion-via-sdelete-utility.asciidoc new file mode 100644 index 0000000000..88eef0f9aa --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-secure-file-deletion-via-sdelete-utility.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-potential-secure-file-deletion-via-sdelete-utility]] +=== Potential Secure File Deletion via SDelete Utility + +Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Verify process details such as command line and hash to confirm this activity legitimacy. + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "change" and file.name : "*AAA.AAA" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: File Deletion +** ID: T1070.004 +** Reference URL: https://attack.mitre.org/techniques/T1070/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-shadow-credentials-added-to-ad-object.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-shadow-credentials-added-to-ad-object.asciidoc new file mode 100644 index 0000000000..af1b86d114 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-shadow-credentials-added-to-ad-object.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-7-16-4-potential-shadow-credentials-added-to-ad-object]] +=== Potential Shadow Credentials added to AD Object + +Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab +* https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials +* https://github.com/OTRF/Set-AuditRule + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access +* Active Directory + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +The above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule. +As this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise. + +``` +Set-AuditRule -AdObjectPath 'AD:\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"Directory Service Changes" and event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-shell-via-web-server.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-shell-via-web-server.asciidoc new file mode 100644 index 0000000000..b7ed7342e3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-potential-shell-via-web-server.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-7-16-4-potential-shell-via-web-server]] +=== Potential Shell via Web Server + +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pentestlab.blog/tag/web-shell/ + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Persistence + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and +process.name:(bash or dash or ash or zsh or "python*" or "perl*" or "php*") and +process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "www-data") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-kerberos-ticket-request.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-kerberos-ticket-request.asciidoc new file mode 100644 index 0000000000..fe0c658ee5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-kerberos-ticket-request.asciidoc @@ -0,0 +1,156 @@ +[[prebuilt-rule-7-16-4-powershell-kerberos-ticket-request]] +=== PowerShell Kerberos Ticket Request + +Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cobalt.io/blog/kerberoast-attack-techniques +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Explicit PowerShell Kerberos Ticket Request + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making +it available for use in various environments, creating an attractive way for attackers to execute code. + +Accounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute +force to crack the user password, which is used to encrypt a Kerberos TGS ticket. + +Attackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to +perform Kerberoasting. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate if the script was executed, and if so, which account was targeted. +- Validate if the account has an SPN associated with it. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Check if the script has any other functionality that can be potentially malicious. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) +related to this account and service name for additional information. + +### False positive analysis + +- A possible false positive can be identified if the script content is not malicious/harmful or does not request +Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password +requirements and policy. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. Prioritize privileged accounts. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + KerberosRequestorSecurityToken + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: Kerberoasting +** ID: T1558.003 +** Reference URL: https://attack.mitre.org/techniques/T1558/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-keylogging-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-keylogging-script.asciidoc new file mode 100644 index 0000000000..f751806544 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-keylogging-script.asciidoc @@ -0,0 +1,158 @@ +[[prebuilt-rule-7-16-4-powershell-keylogging-script]] +=== PowerShell Keylogging Script + +Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1 +* https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Collection + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Keylogging Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other +valuable information as credit card data and confidential conversations. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Investigate if the script stores the captured data locally. +- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration. +- Assess network data to determine if the host communicated with the exfiltration server. + +### False positive analysis + +- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making +false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + ( + powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or "Get-Keystrokes") or + powershell.file.script_block_text : ( + (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and + (GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL") + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Input Capture +** ID: T1056 +** Reference URL: https://attack.mitre.org/techniques/T1056/ +* Sub-technique: +** Name: Keylogging +** ID: T1056.001 +** Reference URL: https://attack.mitre.org/techniques/T1056/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-minidump-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-minidump-script.asciidoc new file mode 100644 index 0000000000..f730806229 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-minidump-script.asciidoc @@ -0,0 +1,150 @@ +[[prebuilt-rule-7-16-4-powershell-minidump-script]] +=== PowerShell MiniDump Script + +This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1 +* https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1 +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell MiniDump Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other +privileged information stored in the process memory. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Check if the imported function was executed and which process it targeted. + +### False positive analysis + +- Regular users do not have a business justification for using scripting utilities to dump process memory, making false +positives unlikely. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-psreflect-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-psreflect-script.asciidoc new file mode 100644 index 0000000000..2d6269cb5c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-psreflect-script.asciidoc @@ -0,0 +1,177 @@ +[[prebuilt-rule-7-16-4-powershell-psreflect-script]] +=== PowerShell PSReflect Script + +Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1 +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell PSReflect Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +PSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to +create enums and structs easily—all without touching the disk. + +Although this is an interesting project for every developer and admin out there, it is mainly used in the red team and +malware tooling for its capabilities. + +Detecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through +PowerShell, enabling defenders to discover tools being dropped in the environment. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The +script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` +for filtering). +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Check for additional PowerShell and command-line logs that indicate that imported functions were run. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Retrieve the script and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 +- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43 +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be configured (Enable). + +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text:( + "New-InMemoryModule" or + "Add-Win32Type" or + psenum or + DefineDynamicAssembly or + DefineDynamicModule or + "Reflection.TypeAttributes" or + "Reflection.Emit.OpCodes" or + "Reflection.Emit.CustomAttributeBuilder" or + "Runtime.InteropServices.DllImportAttribute" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-script-block-logging-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-script-block-logging-disabled.asciidoc new file mode 100644 index 0000000000..0d2c6207ea --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-script-block-logging-disabled.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-7-16-4-powershell-script-block-logging-disabled]] +=== PowerShell Script Block Logging Disabled + +Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Script Block Logging Disabled + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making +it available in various environments and creating an attractive way for attackers to execute code. + +PowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it +processes, giving defenders visibility of PowerShell scripts and sequences of executed commands. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether it makes sense for the user to use PowerShell to complete tasks. +- Investigate if PowerShell scripts were run after logging was disabled. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 +- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43 +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be configured (Enable). + +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type == "change" and + registry.path : + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" + and registry.data.strings : ("0", "0x00000000") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-discovery-related-windows-api-functions.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-discovery-related-windows-api-functions.asciidoc new file mode 100644 index 0000000000..a2cfb8be78 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-discovery-related-windows-api-functions.asciidoc @@ -0,0 +1,167 @@ +[[prebuilt-rule-7-16-4-powershell-suspicious-discovery-related-windows-api-functions]] +=== PowerShell Suspicious Discovery Related Windows API Functions + +This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413 +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Discovery Related Windows API Functions + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries +like PSReflect or Get-ProcAddress Cmdlet. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Check for additional PowerShell and command-line logs that indicate that imported functions were run. + +### False positive analysis + +- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not +contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. +However, analysts should keep in mind that this is not a common way of getting information, making it suspicious. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + NetShareEnum or + NetWkstaUserEnum or + NetSessionEnum or + NetLocalGroupEnum or + NetLocalGroupGetMembers or + DsGetSiteName or + DsEnumerateDomainTrusts or + WTSEnumerateSessionsEx or + WTSQuerySessionInformation or + LsaGetLogonSessionData or + QueryServiceObjectSecurity + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Share Discovery +** ID: T1135 +** Reference URL: https://attack.mitre.org/techniques/T1135/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-payload-encoded-and-compressed.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-payload-encoded-and-compressed.asciidoc new file mode 100644 index 0000000000..eaf92e6431 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-payload-encoded-and-compressed.asciidoc @@ -0,0 +1,171 @@ +[[prebuilt-rule-7-16-4-powershell-suspicious-payload-encoded-and-compressed]] +=== PowerShell Suspicious Payload Encoded and Compressed + +Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Payload Encoded and Compressed + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the +disk. This strategy can circumvent string and file-based security protections. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Retrieve the script and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did +not identify malware or suspicious activity related to the user or host, this alert can be dismissed. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + ( + "System.IO.Compression.DeflateStream" or + "System.IO.Compression.GzipStream" or + "IO.Compression.DeflateStream" or + "IO.Compression.GzipStream" + ) and + FromBase64String + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc new file mode 100644 index 0000000000..0e1f8421ea --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc @@ -0,0 +1,150 @@ +[[prebuilt-rule-7-16-4-powershell-suspicious-script-with-audio-capture-capabilities]] +=== PowerShell Suspicious Script with Audio Capture Capabilities + +Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Collection + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Script with Audio Capture Capabilities + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices +connected to the victim's computer. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Investigate if the script stores the recorded data locally and determine if anything was recorded. +- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration. +- Assess network data to determine if the host communicated with the exfiltration server. + +### False positive analysis + +- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of +authorized benign true positives (B-TPs), exceptions can be added. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + "Get-MicrophoneAudio" or (waveInGetNumDevs and mciSendStringA) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Audio Capture +** ID: T1123 +** Reference URL: https://attack.mitre.org/techniques/T1123/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-script-with-screenshot-capabilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-script-with-screenshot-capabilities.asciidoc new file mode 100644 index 0000000000..ee66d9b799 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-powershell-suspicious-script-with-screenshot-capabilities.asciidoc @@ -0,0 +1,149 @@ +[[prebuilt-rule-7-16-4-powershell-suspicious-script-with-screenshot-capabilities]] +=== PowerShell Suspicious Script with Screenshot Capabilities + +Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs). + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Collection + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Script with Screenshot Capabilities + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes +it available for use in various environments and creates an attractive way for attackers to execute code. + +Attackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course +of an operation. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Investigate if the script stores the captured data locally. +- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration. +- Assess network data to determine if the host communicated with the exfiltration server. + +### False positive analysis + +- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false +positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Related rules + +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + CopyFromScreen and + ("System.Drawing.Bitmap" or "Drawing.Bitmap") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Screen Capture +** ID: T1113 +** Reference URL: https://attack.mitre.org/techniques/T1113/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-privilege-escalation-via-named-pipe-impersonation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-privilege-escalation-via-named-pipe-impersonation.asciidoc new file mode 100644 index 0000000000..0faab3fc0b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-privilege-escalation-via-named-pipe-impersonation.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-privilege-escalation-via-named-pipe-impersonation]] +=== Privilege Escalation via Named Pipe Impersonation + +Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE") and + process.args : "echo" and process.args : ">" and process.args : "\\\\.\\pipe\\*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc new file mode 100644 index 0000000000..8a8c3ee9f9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-privilege-escalation-via-rogue-named-pipe-impersonation]] +=== Privilege Escalation via Rogue Named Pipe Impersonation + +Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/ +* https://github.com/zcgonvh/EfsPotato +* https://twitter.com/SBousseaden/status/1429530155291193354 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings: +`condition equal "contains" and keyword equal "pipe"` + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action : "Pipe Created*" and + /* normal sysmon named pipe creation events truncate the pipe keyword */ + file.name : "\\*\\Pipe\\*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-activity-via-compiled-html-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-activity-via-compiled-html-file.asciidoc new file mode 100644 index 0000000000..4f30bf3c42 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-activity-via-compiled-html-file.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-7-16-4-process-activity-via-compiled-html-file]] +=== Process Activity via Compiled HTML File + +Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 14 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "hh.exe" and + process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Compiled HTML File +** ID: T1218.001 +** Reference URL: https://attack.mitre.org/techniques/T1218/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-execution-from-an-unusual-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-execution-from-an-unusual-directory.asciidoc new file mode 100644 index 0000000000..3fb073e12f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-execution-from-an-unusual-directory.asciidoc @@ -0,0 +1,102 @@ +[[prebuilt-rule-7-16-4-process-execution-from-an-unusual-directory]] +=== Process Execution from an Unusual Directory + +Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started", "info") and + /* add suspicious execution paths here */ +process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Windows\\Tasks\\*.exe","C:\\Intel\\*.exe","C:\\AMD\\Temp\\*.exe","C:\\Windows\\AppReadiness\\*.exe", +"C:\\Windows\\ServiceState\\*.exe","C:\\Windows\\security\\*.exe","C:\\Windows\\IdentityCRL\\*.exe","C:\\Windows\\Branding\\*.exe","C:\\Windows\\csc\\*.exe", + "C:\\Windows\\DigitalLocker\\*.exe","C:\\Windows\\en-US\\*.exe","C:\\Windows\\wlansvc\\*.exe","C:\\Windows\\Prefetch\\*.exe","C:\\Windows\\Fonts\\*.exe", + "C:\\Windows\\diagnostics\\*.exe","C:\\Windows\\TAPI\\*.exe","C:\\Windows\\INF\\*.exe","C:\\Windows\\System32\\Speech\\*.exe","C:\\windows\\tracing\\*.exe", + "c:\\windows\\IME\\*.exe","c:\\Windows\\Performance\\*.exe","c:\\windows\\intel\\*.exe","c:\\windows\\ms\\*.exe","C:\\Windows\\dot3svc\\*.exe", + "C:\\Windows\\panther\\*.exe","C:\\Windows\\RemotePackages\\*.exe","C:\\Windows\\OCR\\*.exe","C:\\Windows\\appcompat\\*.exe","C:\\Windows\\apppatch\\*.exe","C:\\Windows\\addins\\*.exe", + "C:\\Windows\\Setup\\*.exe","C:\\Windows\\Help\\*.exe","C:\\Windows\\SKB\\*.exe","C:\\Windows\\Vss\\*.exe","C:\\Windows\\Web\\*.exe","C:\\Windows\\servicing\\*.exe","C:\\Windows\\CbsTemp\\*.exe", + "C:\\Windows\\Logs\\*.exe","C:\\Windows\\WaaS\\*.exe","C:\\Windows\\ShellExperiences\\*.exe","C:\\Windows\\ShellComponents\\*.exe","C:\\Windows\\PLA\\*.exe", + "C:\\Windows\\Migration\\*.exe","C:\\Windows\\debug\\*.exe","C:\\Windows\\Cursors\\*.exe","C:\\Windows\\Containers\\*.exe","C:\\Windows\\Boot\\*.exe","C:\\Windows\\bcastdvr\\*.exe", + "C:\\Windows\\assembly\\*.exe","C:\\Windows\\TextInput\\*.exe","C:\\Windows\\security\\*.exe","C:\\Windows\\schemas\\*.exe","C:\\Windows\\SchCache\\*.exe","C:\\Windows\\Resources\\*.exe", + "C:\\Windows\\rescache\\*.exe","C:\\Windows\\Provisioning\\*.exe","C:\\Windows\\PrintDialog\\*.exe","C:\\Windows\\PolicyDefinitions\\*.exe","C:\\Windows\\media\\*.exe", + "C:\\Windows\\Globalization\\*.exe","C:\\Windows\\L2Schemas\\*.exe","C:\\Windows\\LiveKernelReports\\*.exe","C:\\Windows\\ModemLogs\\*.exe","C:\\Windows\\ImmersiveControlPanel\\*.exe") and + not process.name : ("SpeechUXWiz.exe","SystemSettings.exe","TrustedInstaller.exe","PrintDialog.exe","MpSigStub.exe","LMS.exe","mpam-*.exe") and + not process.executable : + ("?:\\Intel\\Wireless\\WUSetupLauncher.exe", + "?:\\Intel\\Wireless\\Setup.exe", + "?:\\Intel\\Move Mouse.exe", + "?:\\windows\\Panther\\DiagTrackRunner.exe", + "?:\\Windows\\servicing\\GC64\\tzupd.exe", + "?:\\Users\\Public\\res\\RemoteLite.exe", + "?:\\Users\\Public\\IBM\\ClientSolutions\\*.exe", + "?:\\Users\\Public\\Documents\\syspin.exe", + "?:\\Users\\Public\\res\\FileWatcher.exe") + /* uncomment once in winlogbeat */ + /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-injection-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-injection-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..8f9f7dc403 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-injection-detected-elastic-endgame.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-7-16-4-process-injection-detected-elastic-endgame]] +=== Process Injection - Detected - Elastic Endgame + +Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame +* Threat Detection +* Privilege Escalation + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-injection-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-injection-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..9b3edd5797 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-injection-prevented-elastic-endgame.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-7-16-4-process-injection-prevented-elastic-endgame]] +=== Process Injection - Prevented - Elastic Endgame + +Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Elastic +* Elastic Endgame +* Threat Detection +* Privilege Escalation + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-termination-followed-by-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-termination-followed-by-deletion.asciidoc new file mode 100644 index 0000000000..04f3fc2aa5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-process-termination-followed-by-deletion.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-process-termination-followed-by-deletion]] +=== Process Termination followed by Deletion + +Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where event.type == "end" and + process.code_signature.trusted == false and + not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe") + ] by process.executable + [file where event.type == "deletion" and file.extension : ("exe", "scr", "com") and + not process.executable : + ("?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\drvinst.exe") and + not file.path : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") + ] by file.path + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: File Deletion +** ID: T1070.004 +** Reference URL: https://attack.mitre.org/techniques/T1070/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-program-files-directory-masquerading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-program-files-directory-masquerading.asciidoc new file mode 100644 index 0000000000..ab9e2ded93 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-program-files-directory-masquerading.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-program-files-directory-masquerading]] +=== Program Files Directory Masquerading + +Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.executable : "C:\\*Program*Files*\\*.exe" and + not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe", "C:\\Users\\*.exe", "C:\\ProgramData\\*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-prompt-for-credentials-with-osascript.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-prompt-for-credentials-with-osascript.asciidoc new file mode 100644 index 0000000000..d0f5f065d7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-prompt-for-credentials-with-osascript.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-prompt-for-credentials-with-osascript]] +=== Prompt for Credentials with OSASCRIPT + +Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py +* https://ss64.com/osx/osascript.html + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Credential Access + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*display dialog*password*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Input Capture +** ID: T1056 +** Reference URL: https://attack.mitre.org/techniques/T1056/ +* Sub-technique: +** Name: GUI Input Capture +** ID: T1056.002 +** Reference URL: https://attack.mitre.org/techniques/T1056/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-psexec-network-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-psexec-network-connection.asciidoc new file mode 100644 index 0000000000..0ccf36d698 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-psexec-network-connection.asciidoc @@ -0,0 +1,131 @@ +[[prebuilt-rule-7-16-4-psexec-network-connection]] +=== PsExec Network Connection + +Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PsExec Network Connection + +PsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges +on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, +PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and +bypass security protections. + +This rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the +utility, followed by a network connection done by the process. + +#### Possible investigation steps + +- Check if the usage of this tool complies with the organization's administration policy. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Identify the target computer and its role in the IT environment. +- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for +similar occurrences across hosts. + +### False positive analysis + +- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the +user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. + - Prioritize accordingly with the role of the servers and users involved. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, +persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where process.name : "PsExec.exe" and event.type == "start" and + + /* This flag suppresses the display of the license dialog and may + indicate that psexec executed for the first time in the machine */ + process.args : "-accepteula" and + + not process.executable : ("?:\\ProgramData\\Docusnap\\Discovery\\discovery\\plugins\\17\\Bin\\psexec.exe", + "?:\\Docusnap 11\\Bin\\psexec.exe", + "?:\\Program Files\\Docusnap X\\Bin\\psexec.exe", + "?:\\Program Files\\Docusnap X\\Tools\\dsDNS.exe") and + not process.parent.executable : "?:\\Program Files (x86)\\Cynet\\Cynet Scanner\\CynetScanner.exe"] + [network where process.name : "PsExec.exe"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: System Services +** ID: T1569 +** Reference URL: https://attack.mitre.org/techniques/T1569/ +* Sub-technique: +** Name: Service Execution +** ID: T1569.002 +** Reference URL: https://attack.mitre.org/techniques/T1569/002/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-rare-aws-error-code.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-rare-aws-error-code.asciidoc new file mode 100644 index 0000000000..435a821416 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-rare-aws-error-code.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-7-16-4-rare-aws-error-code]] +=== Rare AWS Error Code + +A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* ML + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Rare AWS Error Code + +CloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and +understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity +when deviations occur. + +This rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of +attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. + +Detection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS +API command or method call. + +#### Possible investigation steps + +- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an +automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field. +- Investigate other alerts associated with the user account during the past 48 hours. +- Validate the activity is not related to planned patches, updates, or network administrator activity. +- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed +when the error occurred. + - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal +time of day? +- Contact the account owner and confirm whether they are aware of this activity if suspicious. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- Examine the history of the command. If the command only manifested recently, it might be part of a new automation +module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), +it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field. +- The adoption of new services or the addition of new functionality to scripts may generate false positives. + +### Related Rules + +- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276 +- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1 +- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1 +- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-rare-user-logon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-rare-user-logon.asciidoc new file mode 100644 index 0000000000..cbc67cbaa4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-rare-user-logon.asciidoc @@ -0,0 +1,50 @@ +[[prebuilt-rule-7-16-4-rare-user-logon]] +=== Rare User Logon + +A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Authentication +* Threat Detection +* ML +* Initial Access + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-rdp-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-rdp-enabled-via-registry.asciidoc new file mode 100644 index 0000000000..8741270f83 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-rdp-enabled-via-registry.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-7-16-4-rdp-enabled-via-registry]] +=== RDP Enabled via Registry + +Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating RDP Enabled via Registry + +Microsoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other +computers, typically over TCP port 3389. + +Attackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access +victim servers, often using privileged accounts. + +This rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote +desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user to check if they are aware of the operation. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether it makes sense to enable RDP to this host, given its role in the environment. +- Check if the host is directly exposed to the internet. +- Check whether privileged accounts accessed the host shortly after the modification. +- Review network events within a short timespan of this alert for incoming RDP connection attempts. + +### False positive analysis + +- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether +they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If RDP is needed, make sure to secure it using firewall rules: + - Allowlist RDP traffic to specific trusted hosts. + - Restrict RDP logins to authorized non-administrator accounts, where possible. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type in ("creation", "change") and + registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" and + registry.data.strings : ("0", "0x00000000") and not (process.name : "svchost.exe" and user.domain == "NT AUTHORITY") and + not process.executable : "C:\\Windows\\System32\\SystemPropertiesRemote.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-registry-persistence-via-appcert-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-registry-persistence-via-appcert-dll.asciidoc new file mode 100644 index 0000000000..9aa6a0d7c7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-registry-persistence-via-appcert-dll.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-registry-persistence-via-appcert-dll]] +=== Registry Persistence via AppCert DLL + +Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where +/* uncomment once stable length(bytes_written_string) > 0 and */ + registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppCert DLLs +** ID: T1546.009 +** Reference URL: https://attack.mitre.org/techniques/T1546/009/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-registry-persistence-via-appinit-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-registry-persistence-via-appinit-dll.asciidoc new file mode 100644 index 0000000000..e97dcf4386 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-registry-persistence-via-appinit-dll.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-registry-persistence-via-appinit-dll]] +=== Registry Persistence via AppInit DLL + +Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every process using the common library, user32.dll. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where + registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls") and + not process.executable : ("C:\\Windows\\System32\\msiexec.exe", + "C:\\Windows\\SysWOW64\\msiexec.exe", + "C:\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe", + "C:\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppInit DLLs +** ID: T1546.010 +** Reference URL: https://attack.mitre.org/techniques/T1546/010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc new file mode 100644 index 0000000000..d4fd05224d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-7-16-4-remote-desktop-enabled-in-windows-firewall-by-netsh]] +=== Remote Desktop Enabled in Windows Firewall by Netsh + +Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote Desktop Enabled in Windows Firewall by Netsh + +Microsoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other +computers, typically over TCP port 3389. + +Attackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access +victim servers, often using privileged accounts. + +This rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the +`netsh.exe` utility. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user to check if they are aware of the operation. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether it makes sense to enable RDP to this host, given its role in the environment. +- Check if the host is directly exposed to the internet. +- Check whether privileged accounts accessed the host shortly after the modification. +- Review network events within a short timespan of this alert for incoming RDP connection attempts. + +### False positive analysis + +- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware +of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If RDP is needed, make sure to secure it: + - Allowlist RDP traffic to specific trusted hosts. + - Restrict RDP logins to authorized non-administrator accounts, where possible. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and + process.args : ("localport=3389", "RemoteDesktop", "group=\"remote desktop\"") and + process.args : ("action=allow", "enable=Yes", "enable") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-copy-to-a-hidden-share.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-copy-to-a-hidden-share.asciidoc new file mode 100644 index 0000000000..1b480310d4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-copy-to-a-hidden-share.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-remote-file-copy-to-a-hidden-share]] +=== Remote File Copy to a Hidden Share + +Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : ("cmd.exe", "powershell.exe", "robocopy.exe", "xcopy.exe") and + process.args : ("copy*", "move*", "cp", "mv") and process.args : "*$*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-copy-via-teamviewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-copy-via-teamviewer.asciidoc new file mode 100644 index 0000000000..755d633ee4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-copy-via-teamviewer.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-7-16-4-remote-file-copy-via-teamviewer]] +=== Remote File Copy via TeamViewer + +Identifies an executable or script file remotely downloaded via a TeamViewer transfer session. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Command and Control + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Copy via TeamViewer + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command +and control channel. However, they can also abuse legitimate utilities to drop these files. + +TeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various +support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other +malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Contact the user to gather information about who and why was conducting the remote access. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this +access. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct +remote access and the triage has not identified suspicious or malicious files. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "creation" and process.name : "TeamViewer.exe" and + file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Technique: +** Name: Remote Access Software +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-download-via-desktopimgdownldr-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-download-via-desktopimgdownldr-utility.asciidoc new file mode 100644 index 0000000000..d282f2982e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-download-via-desktopimgdownldr-utility.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-7-16-4-remote-file-download-via-desktopimgdownldr-utility]] +=== Remote File Download via Desktopimgdownldr Utility + +Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Command and Control + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Download via Desktopimgdownldr Utility + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command +and control channel. However, they can also abuse signed utilities to drop these files. + +The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the +`lockscreenurl` argument to download remote files and tools, this rule looks for this behavior. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file +from an internal system. +- Retrieve the file and determine if it is malicious: + - Identify the file type. + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions +if necessary. +- Analysts can dismiss the alert if the downloaded file is a legitimate image. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "desktopimgdownldr.exe" or process.pe.original_file_name == "desktopimgdownldr.exe") and + process.args : "/lockscreenurl:http*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-download-via-mpcmdrun.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-download-via-mpcmdrun.asciidoc new file mode 100644 index 0000000000..49c23dee80 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-file-download-via-mpcmdrun.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-7-16-4-remote-file-download-via-mpcmdrun]] +=== Remote File Download via MpCmdRun + +Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/mohammadaskar2/status/1301263551638761477 +* https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Command and Control + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Download via MpCmdRun + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command +and control channel. However, they can also abuse signed utilities to drop these files. + +The `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows +Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, +including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check the reputation of the domain or IP address used to host the downloaded file. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.name : "MpCmdRun.exe" or process.pe.original_file_name == "MpCmdRun.exe") and + process.args : "-DownloadFile" and process.args : "-url" and process.args : "-path" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-ssh-login-enabled-via-systemsetup-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-ssh-login-enabled-via-systemsetup-command.asciidoc new file mode 100644 index 0000000000..6c0d016fd9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-ssh-login-enabled-via-systemsetup-command.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-remote-ssh-login-enabled-via-systemsetup-command]] +=== Remote SSH Login Enabled via systemsetup Command + +Detects use of the systemsetup command to enable remote SSH Login. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf +* https://ss64.com/osx/systemsetup.html +* https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Lateral Movement + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and + process.name:systemsetup and + process.args:("-setremotelogin" and on) and + not process.parent.executable : /usr/local/jamf/bin/jamf + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-system-discovery-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-system-discovery-commands.asciidoc new file mode 100644 index 0000000000..34112bc664 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remote-system-discovery-commands.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-7-16-4-remote-system-discovery-commands]] +=== Remote System Discovery Commands + +Discovery of remote system information using built-in commands, which may be used to move laterally. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote System Discovery Commands + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, +which is useful for attackers to identify lateral movement targets. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ((process.name : "nbtstat.exe" and process.args : ("-n", "-s")) or + (process.name : "arp.exe" and process.args : "-a")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Network Configuration Discovery +** ID: T1016 +** Reference URL: https://attack.mitre.org/techniques/T1016/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remotely-started-services-via-rpc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remotely-started-services-via-rpc.asciidoc new file mode 100644 index 0000000000..68214dd4bf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-remotely-started-services-via-rpc.asciidoc @@ -0,0 +1,96 @@ +[[prebuilt-rule-7-16-4-remotely-started-services-via-rpc]] +=== Remotely Started Services via RPC + +Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators." + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1s + [network where process.name : "services.exe" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" + ] by host.id, process.entity_id + + [process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and + not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and + not (process.name : "msiexec.exe" and process.args : "/V") and + not process.executable : + ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe", + "?:\\Windows\\System32\\VSSVC.exe", + "?:\\Windows\\servicing\\TrustedInstaller.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Windows\\PSEXESVC.EXE", + "?:\\Windows\\System32\\sppsvc.exe", + "?:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "?:\\WINDOWS\\RemoteAuditService.exe", + "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe", + "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe", + "?:\\Windows\\CAInvokerService.exe", + "?:\\Windows\\System32\\upfc.exe", + "?:\\Windows\\AdminArsenal\\PDQ*.exe", + "?:\\Windows\\System32\\vds.exe", + "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe", + "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe", + "?:\\Windows\\System32\\certsrv.exe", + "?:\\Windows\\eset-remote-install-service.exe", + "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe", + "?:\\Pella Corporation\\OSCToGPAutoService\\OSCToGPAutoSvc.exe", + "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe", + "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe", + "?:\\Windows\\System32\\taskhostex.exe") + ] by host.id, process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-renamed-autoit-scripts-interpreter.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-renamed-autoit-scripts-interpreter.asciidoc new file mode 100644 index 0000000000..4d39c7e21c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-renamed-autoit-scripts-interpreter.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-renamed-autoit-scripts-interpreter]] +=== Renamed AutoIt Scripts Interpreter + +Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started", "info") and + process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-scheduled-task-created-by-a-windows-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-scheduled-task-created-by-a-windows-script.asciidoc new file mode 100644 index 0000000000..ec9b71b09d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-scheduled-task-created-by-a-windows-script.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-scheduled-task-created-by-a-windows-script]] +=== Scheduled Task Created by a Windows Script + +A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 30s + [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "taskschd.dll" or file.name : "taskschd.dll") and + process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")] + [registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-scheduled-task-execution-at-scale-via-gpo.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-scheduled-task-execution-at-scale-via-gpo.asciidoc new file mode 100644 index 0000000000..2aefc88620 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-scheduled-task-execution-at-scale-via-gpo.asciidoc @@ -0,0 +1,156 @@ +[[prebuilt-rule-7-16-4-scheduled-task-execution-at-scale-via-gpo]] +=== Scheduled Task Execution at Scale via GPO + +Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md +* https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md +* https://labs.f-secure.com/tools/sharpgpoabuse +* https://twitter.com/menasec1/status/1106899890377052160 +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation +* Active Directory + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Scheduled Task Execution at Scale via GPO + +Group Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled +by a given GPO. This is done by changing the contents of the `\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml` +file. + +#### Possible investigation steps + +- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity +is legitimate and the administrator is authorized to perform this operation. +- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any +potentially malicious commands or binaries. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO. + +### False positive analysis + +- Verify if the execution is allowed and done under change management, and if the execution is legitimate. + +### Related rules + +- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf +- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- The investigation and containment must be performed in every computer controlled by the GPO, where necessary. +- Remove the script from the GPO. +- Check if other GPOs have suspicious scheduled tasks attached. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'Audit Detailed File Share' audit policy must be configured (Success Failure). +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Object Access > +Audit Detailed File Share (Success,Failure) +``` + +The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +(event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:("gPCMachineExtensionNames" or "gPCUserExtensionNames") and + winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*)) +or +(event.code: "5145" and winlog.event_data.ShareName: "\\\\*\\SYSVOL" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and + (message: WriteData or winlog.event_data.AccessList: *%%4417*)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Domain Policy Modification +** ID: T1484 +** Reference URL: https://attack.mitre.org/techniques/T1484/ +* Sub-technique: +** Name: Group Policy Modification +** ID: T1484.001 +** Reference URL: https://attack.mitre.org/techniques/T1484/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-scheduled-tasks-at-command-enabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-scheduled-tasks-at-command-enabled.asciidoc new file mode 100644 index 0000000000..9c028b469e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-scheduled-tasks-at-command-enabled.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-scheduled-tasks-at-command-enabled]] +=== Scheduled Tasks AT Command Enabled + +Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where + registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" and + registry.data.strings : ("1", "0x00000001") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-screensaver-plist-file-modified-by-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-screensaver-plist-file-modified-by-unexpected-process.asciidoc new file mode 100644 index 0000000000..6ac0c37afa --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-screensaver-plist-file-modified-by-unexpected-process.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-7-16-4-screensaver-plist-file-modified-by-unexpected-process]] +=== Screensaver Plist File Modified by Unexpected Process + +Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/saving-your-access-d562bf5bf90b +* https://github.com/D00MFist/PersistentJXA + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +- Analyze the plist file modification event to identify whether the change was expected or not +- Investigate the process that modified the plist file for malicious code or other suspicious behavior +- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and + file.name: "com.apple.screensaver.*.plist" and + file.path : ( + "/Users/*/Library/Preferences/ByHost/*", + "/Library/Managed Preferences/*", + "/System/Library/Preferences/*" + ) and + /* Filter OS processes modifying screensaver plist files */ + not process.executable : ( + "/usr/sbin/cfprefsd", + "/usr/libexec/xpcproxy", + "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor", + "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-searching-for-saved-credentials-via-vaultcmd.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-searching-for-saved-credentials-via-vaultcmd.asciidoc new file mode 100644 index 0000000000..43d86ee812 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-searching-for-saved-credentials-via-vaultcmd.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-7-16-4-searching-for-saved-credentials-via-vaultcmd]] +=== Searching for Saved Credentials via VaultCmd + +Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +* https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and + process.args:"/list*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Windows Credential Manager +** ID: T1555.004 +** Reference URL: https://attack.mitre.org/techniques/T1555/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-security-software-discovery-using-wmic.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-security-software-discovery-using-wmic.asciidoc new file mode 100644 index 0000000000..d98066f320 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-security-software-discovery-using-wmic.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-7-16-4-security-software-discovery-using-wmic]] +=== Security Software Discovery using WMIC + +Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Security Software Discovery using WMIC + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security +software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable +protections, use bypasses, etc. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name:"wmic.exe" or process.pe.original_file_name:"wmic.exe") and + process.args:"/namespace:\\\\root\\SecurityCenter2" and process.args:"Get" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ +* Sub-technique: +** Name: Security Software Discovery +** ID: T1518.001 +** Reference URL: https://attack.mitre.org/techniques/T1518/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-security-software-discovery-via-grep.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-security-software-discovery-via-grep.asciidoc new file mode 100644 index 0000000000..881cc6a9f5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-security-software-discovery-via-grep.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-7-16-4-security-software-discovery-via-grep]] +=== Security Software Discovery via Grep + +Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as antivirus or host firewall details. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* macOS +* Linux +* Threat Detection +* Discovery + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and +process.name : "grep" and user.id != "0" and + not process.parent.executable : "/Library/Application Support/*" and + process.args : + ("Little Snitch*", + "Avast*", + "Avira*", + "ESET*", + "BlockBlock*", + "360Sec*", + "LuLu*", + "KnockKnock*", + "kav", + "KIS", + "RTProtectionDaemon*", + "Malware*", + "VShieldScanner*", + "WebProtection*", + "webinspectord*", + "McAfee*", + "isecespd*", + "macmnsvc*", + "masvc*", + "kesl*", + "avscan*", + "guard*", + "rtvscand*", + "symcfgd*", + "scmdaemon*", + "symantec*", + "sophos*", + "osquery*", + "elastic-endpoint*" + ) and + not (process.args : "Avast" and process.args : "Passwords") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ +* Sub-technique: +** Name: Security Software Discovery +** ID: T1518.001 +** Reference URL: https://attack.mitre.org/techniques/T1518/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc new file mode 100644 index 0000000000..8fe272cc17 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc @@ -0,0 +1,137 @@ +[[prebuilt-rule-7-16-4-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user]] +=== Sensitive Privilege SeEnableDelegationPrivilege assigned to a User + +Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml +* https://twitter.com/_nwodtuhs/status/1454049485080907776 +* https://www.thehacker.recipes/ad/movement/kerberos/delegations +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access +* Active Directory + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User + +Kerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, +act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured +for user and computer objects. + +Enabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket +(TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation +when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they +could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged +user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will +be able to pass-the-ticket to privileged assets. + +SeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller +and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for +delegation**. + +It is critical to control the assignment of this privilege. A user with this privilege and write access to a computer +can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to +the system. + +#### Possible investigation steps + +- Investigate how the privilege was assigned to the user and who assigned it. +- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the +`user.id` and `winlog.activity_id` fields as a filter during the past 48 hours. +- Investigate other alerts associated with the users/host during the past 48 hours. + +### False positive analysis + +- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your +environment legitimately, the security team should notify the administrators about the risks of using it. + +### Related rules + +- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Remove the privilege from the account. +- Review the privileges of the administrator account that performed the action. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Windows Settings > +Security Settings > +Advanced Audit Policy Configuration > +Audit Policies > +Policy Change > +Audit Authorization Policy Change (Success,Failure) +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action: "Authorization Policy Change" and event.code:4704 and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-service-control-spawned-via-script-interpreter.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-service-control-spawned-via-script-interpreter.asciidoc new file mode 100644 index 0000000000..ee64e20887 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-service-control-spawned-via-script-interpreter.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-service-control-spawned-via-script-interpreter]] +=== Service Control Spawned via Script Interpreter + +Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* logs-system.* +* winlogbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 14 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +/* This rule is not compatible with Sysmon due to user.id issues */ + +process where event.type == "start" and + (process.name : "sc.exe" or process.pe.original_file_name == "sc.exe") and + process.parent.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", + "wmic.exe", "mshta.exe","powershell.exe", "pwsh.exe") and + process.args:("config", "create", "start", "delete", "stop", "pause") and + /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */ + not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-sharepoint-malware-file-upload.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-sharepoint-malware-file-upload.asciidoc new file mode 100644 index 0000000000..ceb979df28 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-sharepoint-malware-file-upload.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-sharepoint-malware-file-upload]] +=== SharePoint Malware File Upload + +Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide + +*Tags*: + +* Elastic +* Cloud +* Microsoft 365 +* Continuous Monitoring +* SecOps +* Lateral Movement + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Taint Shared Content +** ID: T1080 +** Reference URL: https://attack.mitre.org/techniques/T1080/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-signed-proxy-execution-via-ms-work-folders.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-signed-proxy-execution-via-ms-work-folders.asciidoc new file mode 100644 index 0000000000..fbd88bcc2c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-signed-proxy-execution-via-ms-work-folders.asciidoc @@ -0,0 +1,119 @@ +[[prebuilt-rule-7-16-4-signed-proxy-execution-via-ms-work-folders]] +=== Signed Proxy Execution via MS Work Folders + +Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview +* https://twitter.com/ElliotKillick/status/1449812843772227588 +* https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Signed Proxy Execution via MS Work Folders + +Work Folders is a role service for file servers running Windows Server that provides a consistent way for users to access +their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When +called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before +accessing the synced share. + +Using Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and +increase privileges. + +#### Possible investigation steps + +- Investigate the process tree starting with parent process WorkFolders.exe and child process control.exe to determine +if other child processes spawned during execution. +- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host. +- Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe +binary. It resides in the System32 directory by default. +- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity +or network traffic. +- Determine if control.exe was synced to sync share, indicating potential lateral movement. +- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to +disk from a separate binary. + +### False positive analysis + +- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the +instance where a suspicious control.exe is passed as an argument. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it. +- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the +control.exe binary as well as any additional artifacts identified during investigation. +- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using +Work Folders. +- Confirm with the user whether this was expected or not, and reset their password. + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start","process_started") + and process.name : "control.exe" and process.parent.name : "WorkFolders.exe" + and not process.executable : ("?:\\Windows\\System32\\control.exe", "?:\\Windows\\SysWOW64\\control.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-solarwinds-process-disabling-services-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-solarwinds-process-disabling-services-via-registry.asciidoc new file mode 100644 index 0000000000..c3f93d1d46 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-solarwinds-process-disabling-services-via-registry.asciidoc @@ -0,0 +1,99 @@ +[[prebuilt-rule-7-16-4-solarwinds-process-disabling-services-via-registry]] +=== SolarWinds Process Disabling Services via Registry + +Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and + registry.data.strings : ("4", "0x00000004") and + process.name : ( + "SolarWinds.BusinessLayerHost*.exe", + "ConfigurationWizard*.exe", + "NetflowDatabaseMaintenance*.exe", + "NetFlowService*.exe", + "SolarWinds.Administration*.exe", + "SolarWinds.Collector.Service*.exe" , + "SolarwindsDiagnostics*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Supply Chain Compromise +** ID: T1195 +** Reference URL: https://attack.mitre.org/techniques/T1195/ +* Sub-technique: +** Name: Compromise Software Supply Chain +** ID: T1195.002 +** Reference URL: https://attack.mitre.org/techniques/T1195/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-aws-error-messages.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-aws-error-messages.asciidoc new file mode 100644 index 0000000000..448a55b4f7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-aws-error-messages.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-7-16-4-spike-in-aws-error-messages]] +=== Spike in AWS Error Messages + +A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* ML + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Spike in AWS Error Messages + +CloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and +understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity +when deviations occur. + +This rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail +messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery. + +#### Possible investigation steps + +- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an +automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field. +- Investigate other alerts associated with the user account during the past 48 hours. +- Validate the activity is not related to planned patches, updates, or network administrator activity. +- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed +when the error occurred. + - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal +time of day? +- Contact the account owner and confirm whether they are aware of this activity if suspicious. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- Examine the history of the command. If the command only manifested recently, it might be part of a new automation +module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), +it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field. +- The adoption of new services or the addition of new functionality to scripts may generate false positives. + +### Related Rules + +- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276 +- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1 +- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1 +- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-failed-logon-events.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-failed-logon-events.asciidoc new file mode 100644 index 0000000000..0ba4effb26 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-failed-logon-events.asciidoc @@ -0,0 +1,50 @@ +[[prebuilt-rule-7-16-4-spike-in-failed-logon-events]] +=== Spike in Failed Logon Events + +A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Authentication +* Threat Detection +* ML +* Credential Access + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-logon-events-from-a-source-ip.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-logon-events-from-a-source-ip.asciidoc new file mode 100644 index 0000000000..23bf87026e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-logon-events-from-a-source-ip.asciidoc @@ -0,0 +1,50 @@ +[[prebuilt-rule-7-16-4-spike-in-logon-events-from-a-source-ip]] +=== Spike in Logon Events from a Source IP + +A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Authentication +* Threat Detection +* ML +* Credential Access + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-logon-events.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-logon-events.asciidoc new file mode 100644 index 0000000000..0ef491386d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-spike-in-logon-events.asciidoc @@ -0,0 +1,50 @@ +[[prebuilt-rule-7-16-4-spike-in-logon-events]] +=== Spike in Logon Events + +A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Authentication +* Threat Detection +* ML +* Credential Access + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-startup-logon-script-added-to-group-policy-object.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-startup-logon-script-added-to-group-policy-object.asciidoc new file mode 100644 index 0000000000..b7f7278c90 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-startup-logon-script-added-to-group-policy-object.asciidoc @@ -0,0 +1,157 @@ +[[prebuilt-rule-7-16-4-startup-logon-script-added-to-group-policy-object]] +=== Startup/Logon Script added to Group Policy Object + +Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md +* https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md +* https://labs.f-secure.com/tools/sharpgpoabuse + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation +* Active Directory + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Scheduled Task Execution at Scale via GPO + +Group Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of +clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the +`scripts.ini` or `psscripts.ini` files. The scripts are stored in the following path: `\Machine\Scripts\`, +`\User\Scripts\` + +#### Possible investigation steps + +- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity +is legitimate and the administrator is authorized to perform this operation. +- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any +potentially malicious commands or binaries. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO. + +### False positive analysis + +- Verify if the execution is legitimately authorized and executed under a change management process. + +### Related rules + +- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf +- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- The investigation and containment must be performed in every computer controlled by the GPO, where necessary. +- Remove the script from the GPO. +- Check if other GPOs have suspicious scripts attached. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'Audit Detailed File Share' audit policy must be configured (Success Failure). +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Object Access > +Audit Detailed File Share (Success,Failure) +``` + +The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +( + event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and + winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and + (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*)) +) +or +( + event.code:5145 and winlog.event_data.ShareName:\\\\*\\SYSVOL and + winlog.event_data.RelativeTargetName:(*\\scripts.ini or *\\psscripts.ini) and + (message:WriteData or winlog.event_data.AccessList:*%%4417*) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Technique: +** Name: Domain Policy Modification +** ID: T1484 +** Reference URL: https://attack.mitre.org/techniques/T1484/ +* Sub-technique: +** Name: Group Policy Modification +** ID: T1484.001 +** Reference URL: https://attack.mitre.org/techniques/T1484/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-startup-persistence-by-a-suspicious-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-startup-persistence-by-a-suspicious-process.asciidoc new file mode 100644 index 0000000000..362966c7f6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-startup-persistence-by-a-suspicious-process.asciidoc @@ -0,0 +1,154 @@ +[[prebuilt-rule-7-16-4-startup-persistence-by-a-suspicious-process]] +=== Startup Persistence by a Suspicious Process + +Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Startup Persistence by a Suspicious Process + +The Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account +logon, without user interaction, providing an excellent way for attackers to maintain persistence. + +This rule monitors for commonly abused processes writing to the Startup folder locations. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate +software installations. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, +verify that this activity is not benign. + +### Related rules + +- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff +- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and + user.domain != "NT AUTHORITY" and + file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") and + process.name : ("cmd.exe", + "powershell.exe", + "wmic.exe", + "mshta.exe", + "pwsh.exe", + "cscript.exe", + "wscript.exe", + "regsvr32.exe", + "RegAsm.exe", + "rundll32.exe", + "EQNEDT32.EXE", + "WINWORD.EXE", + "EXCEL.EXE", + "POWERPNT.EXE", + "MSPUB.EXE", + "MSACCESS.EXE", + "iexplore.exe", + "InstallUtil.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-strace-process-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-strace-process-activity.asciidoc new file mode 100644 index 0000000000..156a6b7c3e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-strace-process-activity.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-7-16-4-strace-process-activity]] +=== Strace Process Activity + +Strace is a useful diagnostic, instructional, and debugging tool. This rule identifies a privileged context execution of strace which can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://en.wikipedia.org/wiki/Strace + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Privilege Escalation + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and process.name:strace + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-sublime-plugin-or-application-script-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-sublime-plugin-or-application-script-modification.asciidoc new file mode 100644 index 0000000000..f82036a239 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-sublime-plugin-or-application-script-modification.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-sublime-plugin-or-application-script-modification]] +=== Sublime Plugin or Application Script Modification + +Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5 + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type in ("change", "creation") and file.extension : "py" and + file.path : + ( + "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py", + "/Applications/Sublime Text.app/Contents/MacOS/sublime.py" + ) and + not process.executable : + ( + "/Applications/Sublime Text*.app/Contents/*", + "/usr/local/Cellar/git/*/bin/git", + "/Library/Developer/CommandLineTools/usr/bin/git", + "/usr/libexec/xpcproxy", + "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-activity-reported-by-okta-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-activity-reported-by-okta-user.asciidoc new file mode 100644 index 0000000000..2ac869a141 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-activity-reported-by-okta-user.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-7-16-4-suspicious-activity-reported-by-okta-user]] +=== Suspicious Activity Reported by Okta User + +Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-calendar-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-calendar-file-modification.asciidoc new file mode 100644 index 0000000000..d772d01691 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-calendar-file-modification.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-suspicious-calendar-file-modification]] +=== Suspicious Calendar File Modification + +Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos +* https://github.com/FSecureLABS/CalendarPersist +* https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and event.action:modification and + file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and + process.executable: + (* and not + ( + /System/Library/* or + /System/Applications/Calendar.app/Contents/MacOS/* or + /System/Applications/Mail.app/Contents/MacOS/Mail or + /usr/libexec/xpcproxy or + /sbin/launchd or + /Applications/* + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-certutil-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-certutil-commands.asciidoc new file mode 100644 index 0000000000..d9f2e360f6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-certutil-commands.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-suspicious-certutil-commands]] +=== Suspicious CertUtil Commands + +Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/Moriarty_Meng/status/984380793383370752 +* https://twitter.com/egre55/status/1087685529016193025 +* https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx +* https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 14 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and + process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex", "?exportPFX") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-cmd-execution-via-wmi.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-cmd-execution-via-wmi.asciidoc new file mode 100644 index 0000000000..dc4a467c61 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-cmd-execution-via-wmi.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-suspicious-cmd-execution-via-wmi]] +=== Suspicious Cmd Execution via WMI + +Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and + process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc new file mode 100644 index 0000000000..2313e1d800 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-7-16-4-suspicious-dll-loaded-for-persistence-or-privilege-escalation]] +=== Suspicious DLL Loaded for Persistence or Privilege Escalation + +Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://itm4n.github.io/windows-dll-hijacking-clarified/ +* http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html +* https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html +* https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html +* https://windows-internals.com/faxing-your-way-to-system/ +* http://waleedassar.blogspot.com/2013/01/wow64logdll.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence +* Privilege Escalation + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where + (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + ( + /* compatible with Elastic Endpoint Library Events */ + (dll.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", + "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", + "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll") + and (dll.code_signature.trusted == false or dll.code_signature.exists == false)) or + + /* compatible with Sysmon EventID 7 - Image Load */ + (file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", + "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", + "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll") + and not file.code_signature.status == "Valid") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Search Order Hijacking +** ID: T1574.001 +** Reference URL: https://attack.mitre.org/techniques/T1574/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-endpoint-security-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-endpoint-security-parent-process.asciidoc new file mode 100644 index 0000000000..c796e160bb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-endpoint-security-parent-process.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-suspicious-endpoint-security-parent-process]] +=== Suspicious Endpoint Security Parent Process + +A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started", "info") and + process.name : ("esensor.exe", "elastic-endpoint.exe") and + process.parent.executable != null and + /* add FPs here */ + not process.parent.executable : ("C:\\Program Files\\Elastic\\*", + "C:\\Windows\\System32\\services.exe", + "C:\\Windows\\System32\\WerFault*.exe", + "C:\\Windows\\System32\\wermgr.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-execution-from-a-mounted-device.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-execution-from-a-mounted-device.asciidoc new file mode 100644 index 0000000000..8007950553 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-execution-from-a-mounted-device.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-7-16-4-suspicious-execution-from-a-mounted-device]] +=== Suspicious Execution from a Mounted Device + +Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ +* https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and process.executable : "C:\\*" and + (process.working_directory : "?:\\" and not process.working_directory: "C:\\") and + process.parent.name : "explorer.exe" and + process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", + "cscript.exe", "wscript.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-execution-short-program-name.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-execution-short-program-name.asciidoc new file mode 100644 index 0000000000..02186d7a09 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-execution-short-program-name.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-suspicious-execution-short-program-name]] +=== Suspicious Execution - Short Program Name + +Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and length(process.name) > 0 and + length(process.name) == 5 and host.os.name == "Windows" and length(process.pe.original_file_name) > 5 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-execution-via-scheduled-task.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-execution-via-scheduled-task.asciidoc new file mode 100644 index 0000000000..2adee14225 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-execution-via-scheduled-task.asciidoc @@ -0,0 +1,108 @@ +[[prebuilt-rule-7-16-4-suspicious-execution-via-scheduled-task]] +=== Suspicious Execution via Scheduled Task + +Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + /* Schedule service cmdline on Win10+ */ + process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and + /* add suspicious programs here */ + process.pe.original_file_name in + ( + "cscript.exe", + "wscript.exe", + "PowerShell.EXE", + "Cmd.Exe", + "MSHTA.EXE", + "RUNDLL32.EXE", + "REGSVR32.EXE", + "MSBuild.exe", + "InstallUtil.exe", + "RegAsm.exe", + "RegSvcs.exe", + "msxsl.exe", + "CONTROL.EXE", + "EXPLORER.EXE", + "Microsoft.Workflow.Compiler.exe", + "msiexec.exe" + ) and + /* add suspicious paths here */ + process.args : ( + "C:\\Users\\*", + "C:\\ProgramData\\*", + "C:\\Windows\\Temp\\*", + "C:\\Windows\\Tasks\\*", + "C:\\PerfLogs\\*", + "C:\\Intel\\*", + "C:\\Windows\\Debug\\*", + "C:\\HP\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-explorer-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-explorer-child-process.asciidoc new file mode 100644 index 0000000000..54259c9662 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-explorer-child-process.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-7-16-4-suspicious-explorer-child-process]] +=== Suspicious Explorer Child Process + +Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ( + process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or + process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE") + ) and + /* Explorer started via DCOM */ + process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and + not process.parent.args: + ( + /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */ + "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}", + "/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-file-creation-in-etc-for-persistence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-file-creation-in-etc-for-persistence.asciidoc new file mode 100644 index 0000000000..01c34c89ce --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-file-creation-in-etc-for-persistence.asciidoc @@ -0,0 +1,108 @@ +[[prebuilt-rule-7-16-4-suspicious-file-creation-in-etc-for-persistence]] +=== Suspicious File Creation in /etc for Persistence + +Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access. + +*Rule type*: eql + +*Rule indices*: + +* logs-* + +*Severity*: medium + +*Risk score*: 80 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Persistence +* Orbit +* Lightning Framework + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action == "creation" and user.name == "root" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-html-file-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-html-file-creation.asciidoc new file mode 100644 index 0000000000..ef28f5923f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-html-file-creation.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-7-16-4-suspicious-html-file-creation]] +=== Suspicious HTML File Creation + +Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by user.id with maxspan=5m + [file where event.action in ("creation", "rename") and + file.extension : ("htm", "html") and + file.path : ("?:\\Users\\*\\Downloads\\*", + "?:\\Users\\*\\Content.Outlook\\*", + "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*", + "?:\\Users\\*\\AppData\\Local\\Temp\\7z*", + "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*") and + ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)] + [process where event.action == "start" and + ( + (process.name in ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe") + and process.args == "--single-argument") or + (process.name == "iexplore.exe" and process.args_count == 2) or + (process.name in ("firefox.exe", "waterfox.exe") and process.args == "-url") + ) + and process.args : ("?:\\Users\\*\\Downloads\\*.htm*", + "?:\\Users\\*\\Content.Outlook\\*.htm*", + "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.htm*", + "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.htm*", + "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*.htm*")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Sub-technique: +** Name: HTML Smuggling +** ID: T1027.006 +** Reference URL: https://attack.mitre.org/techniques/T1027/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc new file mode 100644 index 0000000000..8a2d4f3dcd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-suspicious-image-load-taskschd-dll-from-ms-office]] +=== Suspicious Image Load (taskschd.dll) from MS Office + +Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +* https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where + (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + (dll.name : "taskschd.dll" or file.name : "taskschd.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-java-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-java-child-process.asciidoc new file mode 100644 index 0000000000..ed46549262 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-java-child-process.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-suspicious-java-child-process]] +=== Suspicious JAVA Child Process + +Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.lunasec.io/docs/blog/log4j-zero-day/ +* https://github.com/christophetd/log4shell-vulnerable-app +* https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf + +*Tags*: + +* Elastic +* Host +* Linux +* macOS +* Threat Detection +* Execution + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "java" and + process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-lsass-access-via-malseclogon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-lsass-access-via-malseclogon.asciidoc new file mode 100644 index 0000000000..aa3c8f2bab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-lsass-access-via-malseclogon.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-7-16-4-suspicious-lsass-access-via-malseclogon]] +=== Suspicious LSASS Access via MalSecLogon + +Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.code == "10" and + winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and + + /* seclogon service accessing lsass */ + winlog.event_data.CallTrace : "*seclogon.dll*" and process.name : "svchost.exe" and + + /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */ + winlog.event_data.GrantedAccess == "0x14c0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-microsoft-diagnostics-wizard-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-microsoft-diagnostics-wizard-execution.asciidoc new file mode 100644 index 0000000000..2b27a347fb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-microsoft-diagnostics-wizard-execution.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-7-16-4-suspicious-microsoft-diagnostics-wizard-execution]] +=== Suspicious Microsoft Diagnostics Wizard Execution + +Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/nao_sec/status/1530196847679401984 +* https://lolbas-project.github.io/lolbas/Binaries/Msdt/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and + ( + process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or + + (process.args : "-af" and process.args : "/skip" and + process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and + process.args : ("?:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml", "PCWDiagnostic.xml", "?:\\Users\\Public\\*", "?:\\Windows\\Temp\\*")) or + + (process.pe.original_file_name == "msdt.exe" and not process.name : "msdt.exe" and process.name != null) or + + (process.pe.original_file_name == "msdt.exe" and not process.executable : ("?:\\Windows\\system32\\msdt.exe", "?:\\Windows\\SysWOW64\\msdt.exe")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-ms-office-child-process.asciidoc new file mode 100644 index 0000000000..ea5102a1b6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-ms-office-child-process.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-7-16-4-suspicious-ms-office-child-process]] +=== Suspicious MS Office Child Process + +Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 14 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious MS Office Child Process + +Microsoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. +You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create +presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted +for initial access. It also has a wide variety of capabilities that attackers can take advantage of. + +This rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of +malicious documents. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, +but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, +persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe") and + process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe", + "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", + "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "ipconfig.exe", + "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", + "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", + "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", + "wmic.exe", "wscript.exe", "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe", "msdt.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-ms-outlook-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-ms-outlook-child-process.asciidoc new file mode 100644 index 0000000000..045e3c5166 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-ms-outlook-child-process.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-7-16-4-suspicious-ms-outlook-child-process]] +=== Suspicious MS Outlook Child Process + +Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 13 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious MS Outlook Child Process + +Microsoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is +widely used, either standalone or as part of the Office suite. + +This rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious +documents and/or exploitation for initial access. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common +locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, +persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "outlook.exe" and + process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", + "cdb.exe", "certutil.exe", "cmd.exe", "cmstp.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", + "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", + "iexpress.exe", "installutil.exe", "ipconfig.exe", "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", + "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe", "powershell.exe", + "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", + "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", + "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe", "xwizard.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-net-code-compilation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-net-code-compilation.asciidoc new file mode 100644 index 0000000000..9765957934 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-net-code-compilation.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-7-16-4-suspicious-net-code-compilation]] +=== Suspicious .NET Code Compilation + +Identifies suspicious .NET code execution. connections. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : ("csc.exe", "vbc.exe") and + process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Sub-technique: +** Name: Compile After Delivery +** ID: T1027.004 +** Reference URL: https://attack.mitre.org/techniques/T1027/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-net-reflection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-net-reflection-via-powershell.asciidoc new file mode 100644 index 0000000000..0d1d2a5e95 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-net-reflection-via-powershell.asciidoc @@ -0,0 +1,172 @@ +[[prebuilt-rule-7-16-4-suspicious-net-reflection-via-powershell]] +=== Suspicious .NET Reflection via PowerShell + +Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious .NET Reflection via PowerShell + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, +which can circumvent file-based security protections. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Retrieve the script and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did +not identify malware or suspicious activity related to the user or host, this alert can be dismissed. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + "[System.Reflection.Assembly]::Load" or + "[Reflection.Assembly]::Load" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Dynamic-link Library Injection +** ID: T1055.001 +** Reference URL: https://attack.mitre.org/techniques/T1055/001/ +* Sub-technique: +** Name: Portable Executable Injection +** ID: T1055.002 +** Reference URL: https://attack.mitre.org/techniques/T1055/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-network-connection-attempt-by-root.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-network-connection-attempt-by-root.asciidoc new file mode 100644 index 0000000000..1044ba135c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-network-connection-attempt-by-root.asciidoc @@ -0,0 +1,94 @@ +[[prebuilt-rule-7-16-4-suspicious-network-connection-attempt-by-root]] +=== Suspicious Network Connection Attempt by Root + +Identifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate a potential reverse shell activity via a privileged process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 43 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/ +* https://twitter.com/GossiTheDog/status/1522964028284411907 +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Command and Control + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis +### Investigating Connection Attempt by Non-SSH Root Session +Detection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation: +- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'. +- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener. +- Analyze anomalies in the use of files that do not normally initiate connections. +- Examine processes utilizing the network that do not normally have network communication. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m +[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and + not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] +[process where event.action == "session_id_change" and user.id == "0" and + not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Non-Application Layer Protocol +** ID: T1095 +** Reference URL: https://attack.mitre.org/techniques/T1095/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-pdf-reader-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-pdf-reader-child-process.asciidoc new file mode 100644 index 0000000000..c340cd16f8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-pdf-reader-child-process.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-7-16-4-suspicious-pdf-reader-child-process]] +=== Suspicious PDF Reader Child Process + +Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious PDF Reader Child Process + +PDF is a common file type used in corporate environments and most machines have software to handle these files. This +creates a vector where attackers can exploit the engines and technology behind this class of software for initial access +or privilege escalation. + +This rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but +are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, +persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : ("AcroRd32.exe", + "Acrobat.exe", + "FoxitPhantomPDF.exe", + "FoxitReader.exe") and + process.name : ("arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe", + "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", + "quser.exe", "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", + "whoami.exe", "bginfo.exe", "cdb.exe", "cmstp.exe", "csi.exe", "dnx.exe", "fsi.exe", "ieexec.exe", + "iexpress.exe", "installutil.exe", "Microsoft.Workflow.Compiler.exe", "msbuild.exe", "mshta.exe", + "msxsl.exe", "odbcconf.exe", "rcsi.exe", "regsvr32.exe", "xwizard.exe", "atbroker.exe", + "forfiles.exe", "schtasks.exe", "regasm.exe", "regsvcs.exe", "cmd.exe", "cscript.exe", + "powershell.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "bitsadmin.exe", "certutil.exe", "ftp.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-portable-executable-encoded-in-powershell-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-portable-executable-encoded-in-powershell-script.asciidoc new file mode 100644 index 0000000000..25a005fabb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-portable-executable-encoded-in-powershell-script.asciidoc @@ -0,0 +1,151 @@ +[[prebuilt-rule-7-16-4-suspicious-portable-executable-encoded-in-powershell-script]] +=== Suspicious Portable Executable Encoded in Powershell Script + +Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Portable Executable Encoded in Powershell Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, +bypassing file-based security protections. These executables are generally base64 encoded. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Retrieve the script and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Reimage the host operating system or restore the compromised files to clean versions. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and + powershell.file.script_block_text : ( + TVqQAAMAAAAEAAAA + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-powershell-engine-imageload.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-powershell-engine-imageload.asciidoc new file mode 100644 index 0000000000..d7bcbeaf37 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-powershell-engine-imageload.asciidoc @@ -0,0 +1,201 @@ +[[prebuilt-rule-7-16-4-suspicious-powershell-engine-imageload]] +=== Suspicious PowerShell Engine ImageLoad + +Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious PowerShell Engine ImageLoad + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called +"PowerShell without PowerShell," works by using the underlying System.Management.Automation namespace and can bypass +application allowlisting and PowerShell security features. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with +some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") or + file.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll")) and + +/* add false positives relevant to your environment here */ +not process.executable : ("C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\sdiagnhost.exe") and +not process.executable regex~ """C:\\Program Files( \(x86\))?\\*\.exe""" and + not process.name : + ( + "Altaro.SubAgent.exe", + "AppV_Manage.exe", + "azureadconnect.exe", + "CcmExec.exe", + "configsyncrun.exe", + "choco.exe", + "ctxappvservice.exe", + "DVLS.Console.exe", + "edgetransport.exe", + "exsetup.exe", + "forefrontactivedirectoryconnector.exe", + "InstallUtil.exe", + "JenkinsOnDesktop.exe", + "Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe", + "mmc.exe", + "mscorsvw.exe", + "msexchangedelivery.exe", + "msexchangefrontendtransport.exe", + "msexchangehmworker.exe", + "msexchangesubmission.exe", + "msiexec.exe", + "MsiExec.exe", + "noderunner.exe", + "NServiceBus.Host.exe", + "NServiceBus.Host32.exe", + "NServiceBus.Hosting.Azure.HostProcess.exe", + "OuiGui.WPF.exe", + "powershell.exe", + "powershell_ise.exe", + "pwsh.exe", + "SCCMCliCtrWPF.exe", + "ScriptEditor.exe", + "ScriptRunner.exe", + "sdiagnhost.exe", + "servermanager.exe", + "setup100.exe", + "ServiceHub.VSDetouredHost.exe", + "SPCAF.Client.exe", + "SPCAF.SettingsEditor.exe", + "SQLPS.exe", + "telemetryservice.exe", + "UMWorkerProcess.exe", + "w3wp.exe", + "wsmprovhost.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-print-spooler-file-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-print-spooler-file-deletion.asciidoc new file mode 100644 index 0000000000..5e3800fee5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-print-spooler-file-deletion.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-7-16-4-suspicious-print-spooler-file-deletion]] +=== Suspicious Print Spooler File Deletion + +Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type : "deletion" and + not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe") and + file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-printspooler-service-executable-file-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-printspooler-service-executable-file-creation.asciidoc new file mode 100644 index 0000000000..cdfa59ccc2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-printspooler-service-executable-file-creation.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-suspicious-printspooler-service-executable-file-creation]] +=== Suspicious PrintSpooler Service Executable File Creation + +Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/ +* https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and process.name : "spoolsv.exe" and + file.extension : ("exe", "dll") and + not file.path : ("?:\\Windows\\System32\\spool\\*", "?:\\Windows\\Temp\\*", "?:\\Users\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-printspooler-spl-file-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-printspooler-spl-file-created.asciidoc new file mode 100644 index 0000000000..74fe8fcf9c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-printspooler-spl-file-created.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-suspicious-printspooler-spl-file-created]] +=== Suspicious PrintSpooler SPL File Created + +Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. . + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Threat intel + +Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched. + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and + file.extension : "spl" and + file.path : "?:\\Windows\\System32\\spool\\PRINTERS\\*" and + not process.name : ("spoolsv.exe", + "printfilterpipelinesvc.exe", + "PrintIsolationHost.exe", + "splwow64.exe", + "msiexec.exe", + "poqexec.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-access-via-direct-system-call.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-access-via-direct-system-call.asciidoc new file mode 100644 index 0000000000..f1a558c70b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-access-via-direct-system-call.asciidoc @@ -0,0 +1,148 @@ +[[prebuilt-rule-7-16-4-suspicious-process-access-via-direct-system-call]] +=== Suspicious Process Access via Direct System Call + +Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/SBousseaden/status/1278013896440324096 +* https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Process Access via Direct System Call + +Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is +malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. + +More context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/). + +This rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system +calls to bypass security solutions that rely on hooks. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file +modifications, and any spawned child processes. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting +SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove the malicious certificate from the root certificate store. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.code == "10" and + length(winlog.event_data.CallTrace) > 0 and + + /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */ + not winlog.event_data.CallTrace : + ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", + "?:\\WINDOWS\\SysWOW64\\ntdll.dll*", + "?:\\Windows\\System32\\wow64cpu.dll*", + "?:\\WINDOWS\\System32\\wow64win.dll*", + "?:\\Windows\\System32\\win32u.dll*") and + + not winlog.event_data.TargetImage : + ("?:\\Program Files (x86)\\Malwarebytes Anti-Exploit\\mbae-svc.exe", + "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", + "?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe", + "?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\*\\AcroCEF.exe") and + + not (process.executable : ("?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe", + "?:\\Program Files (x86)\\World of Warcraft\\_classic_\\WowClassic.exe") and + not winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-creation-calltrace.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-creation-calltrace.asciidoc new file mode 100644 index 0000000000..8e93d75221 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-creation-calltrace.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-suspicious-process-creation-calltrace]] +=== Suspicious Process Creation CallTrace + +Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection or hollowing attempt. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 43 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [process where event.code == "1" and + /* sysmon process creation */ + process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe", "fltldr.exe", + "mspub.exe", "msaccess.exe","cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", + "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") and + + /* noisy FP patterns */ + not (process.parent.name : "EXCEL.EXE" and process.executable : "?:\\Program Files\\Microsoft Office\\root\\Office*\\ADDINS\\*.exe") and + not (process.executable : "?:\\Windows\\splwow64.exe" and process.args in ("8192", "12288") and process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")) and + not (process.parent.name : "rundll32.exe" and process.parent.args : ("?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc", "--no-sandbox")) and + not (process.executable : + ("?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe", + "?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe", + "?:\\Windows\\SysWOW64\\DWWIN.EXE") and + process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")) and + not (process.parent.name : "regsvr32.exe" and process.parent.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) + ] by process.parent.entity_id, process.entity_id + [process where event.code == "10" and + /* Sysmon process access event from unknown module */ + winlog.event_data.CallTrace : "*UNKNOWN*"] by process.entity_id, winlog.event_data.TargetProcessGUID + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-execution-via-renamed-psexec-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-execution-via-renamed-psexec-executable.asciidoc new file mode 100644 index 0000000000..7de6b4c325 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-execution-via-renamed-psexec-executable.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-suspicious-process-execution-via-renamed-psexec-executable]] +=== Suspicious Process Execution via Renamed PsExec Executable + +Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started", "info") and + process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: System Services +** ID: T1569 +** Reference URL: https://attack.mitre.org/techniques/T1569/ +* Sub-technique: +** Name: Service Execution +** ID: T1569.002 +** Reference URL: https://attack.mitre.org/techniques/T1569/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-from-conhost.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-from-conhost.asciidoc new file mode 100644 index 0000000000..f5b72dfb88 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-process-from-conhost.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-7-16-4-suspicious-process-from-conhost]] +=== Suspicious Process from Conhost + +Identifies a suspicious Conhost child process which may be an indication of code injection activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://modexp.wordpress.com/2018/09/12/process-injection-user-data/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Process from Conhost + +The Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as +the classic Windows user interface for working with command-line applications. + +The `conhost.exe` process doesn't normally have child processes. Any processes spawned by the `conhost.exe` process can indicate code +injection activity or a suspicious process masquerading as the `conhost.exe` process. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### Related rules + +- Conhost Spawned By Suspicious Parent Process - 05b358de-aa6d-4f6c-89e6-78f74018b43b +- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3 + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "conhost.exe" and + not process.executable : ("?:\\Windows\\splwow64.exe", "?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\conhost.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-rdp-activex-client-loaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-rdp-activex-client-loaded.asciidoc new file mode 100644 index 0000000000..cb5a41cd13 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-rdp-activex-client-loaded.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-7-16-4-suspicious-rdp-activex-client-loaded]] +=== Suspicious RDP ActiveX Client Loaded + +Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "mstscax.dll" or file.name : "mstscax.dll") and + /* depending on noise in your env add here extra paths */ + process.executable : + ( + "C:\\Windows\\*", + "C:\\Users\\Public\\*", + "C:\\Users\\Default\\*", + "C:\\Intel\\*", + "C:\\PerfLogs\\*", + "C:\\ProgramData\\*", + "\\Device\\Mup\\*", + "\\\\*" + ) and + /* add here FPs */ + not process.executable : ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc new file mode 100644 index 0000000000..6845e3bbd9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc @@ -0,0 +1,158 @@ +[[prebuilt-rule-7-16-4-suspicious-remote-registry-access-via-sebackupprivilege]] +=== Suspicious Remote Registry Access via SeBackupPrivilege + +Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/mpgn/BackupOperatorToDA +* https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Lateral Movement +* Credential Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Remote Registry Access via SeBackupPrivilege + +SeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of +the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of +providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system. + +This rule identifies remote access to the registry using an account with Backup Operators group membership. This may +indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation +for credential access and privileges elevation. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` +can be used to get this data. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file +modifications, and processes created. +- Investigate if the registry file was retrieved or exfiltrated. + +### False positive analysis + +- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions +if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Limit or disable the involved user account to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers. +Steps to implement the logging policy with with Advanced Audit Configuration: +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Object Access > +Audit Detailed File Share (Success) +``` + +The 'Special Logon' audit policy must be configured (Success). +Steps to implement the logging policy with with Advanced Audit Configuration: +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Logon/Logoff > +Special Logon (Success) +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m + [iam where event.action == "logged-in-special" and + winlog.event_data.PrivilegeList : "SeBackupPrivilege" and + + /* excluding accounts with existing privileged access */ + not winlog.event_data.PrivilegeList : "SeDebugPrivilege"] + [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-script-object-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-script-object-execution.asciidoc new file mode 100644 index 0000000000..7103591da8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-script-object-execution.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-suspicious-script-object-execution]] +=== Suspicious Script Object Execution + +Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=2m + [process where event.type == "start" + and (process.code_signature.subject_name in ("Microsoft Corporation", "Microsoft Windows") and + process.code_signature.trusted == true) and + not process.executable : ( + "?:\\Windows\\System32\\cscript.exe", + "?:\\Windows\\SysWOW64\\cscript.exe", + "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "?:\\Program Files\\Internet Explorer\\iexplore.exe", + "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe", + "?:\\Windows\\system32\\msiexec.exe", + "?:\\Windows\\SysWOW64\\msiexec.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\system32\\taskhostw.exe", + "?:\\windows\\system32\\inetsrv\\w3wp.exe", + "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe", + "?:\\Windows\\system32\\wscript.exe", + "?:\\Windows\\SysWOW64\\wscript.exe", + "?:\\Windows\\system32\\mobsync.exe", + "?:\\Windows\\SysWOW64\\mobsync.exe", + "?:\\Windows\\System32\\cmd.exe", + "?:\\Windows\\SysWOW64\\cmd.exe")] + [library where event.type == "start" and dll.name : "scrobj.dll"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-solarwinds-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-solarwinds-child-process.asciidoc new file mode 100644 index 0000000000..feac4d6948 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-solarwinds-child-process.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-7-16-4-suspicious-solarwinds-child-process]] +=== Suspicious SolarWinds Child Process + +A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html +* https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and + not process.name : ( + "APMServiceControl*.exe", + "ExportToPDFCmd*.Exe", + "SolarWinds.Credentials.Orion.WebApi*.exe", + "SolarWinds.Orion.Topology.Calculator*.exe", + "Database-Maint.exe", + "SolarWinds.Orion.ApiPoller.Service.exe", + "WerFault.exe", + "WerMgr.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Supply Chain Compromise +** ID: T1195 +** Reference URL: https://attack.mitre.org/techniques/T1195/ +* Sub-technique: +** Name: Compromise Software Supply Chain +** ID: T1195.002 +** Reference URL: https://attack.mitre.org/techniques/T1195/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-werfault-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-werfault-child-process.asciidoc new file mode 100644 index 0000000000..e49b2efb22 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-werfault-child-process.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-7-16-4-suspicious-werfault-child-process]] +=== Suspicious WerFault Child Process + +A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +* https://blog.menasec.net/2021/01/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "WerFault.exe" and + not process.name : ("cofire.exe", + "psr.exe", + "VsJITDebugger.exe", + "TTTracer.exe", + "rundll32.exe", + "LogiOptionsMgr.exe") and + not process.args : ("/LOADSAVEDWINDOWS", + "/restore", + "RestartByRestartManager*", + "--restarted", + "createdump", + "dontsend", + "/watson") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-wmi-image-load-from-ms-office.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-wmi-image-load-from-ms-office.asciidoc new file mode 100644 index 0000000000..86c627a8d3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-wmi-image-load-from-ms-office.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-suspicious-wmi-image-load-from-ms-office]] +=== Suspicious WMI Image Load from MS Office + +Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where + (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-wmic-xsl-script-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-wmic-xsl-script-execution.asciidoc new file mode 100644 index 0000000000..ad75db83ba --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-wmic-xsl-script-execution.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-7-16-4-suspicious-wmic-xsl-script-execution]] +=== Suspicious WMIC XSL Script Execution + +Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan = 2m +[process where event.type in ("start", "process_started") and + (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and + process.args : ("format*:*", "/format*:*", "*-format*:*") and + not process.command_line : "* /format:table *"] +[any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: XSL Script Processing +** ID: T1220 +** Reference URL: https://attack.mitre.org/techniques/T1220/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-zoom-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-zoom-child-process.asciidoc new file mode 100644 index 0000000000..692b291932 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-suspicious-zoom-child-process.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-suspicious-zoom-child-process]] +=== Suspicious Zoom Child Process + +A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started", "info") and + process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-svchost-spawning-cmd.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-svchost-spawning-cmd.asciidoc new file mode 100644 index 0000000000..7b60f35715 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-svchost-spawning-cmd.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-svchost-spawning-cmd]] +=== Svchost spawning Cmd + +Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.parent.name : "svchost.exe" and process.name : "cmd.exe" and + not (process.pe.original_file_name : "cmd.exe" and process.args : ( + "??:\\Program Files\\Npcap\\CheckStatus.bat?", + "?:\\Program Files\\Npcap\\CheckStatus.bat", + "\\system32\\cleanmgr.exe", + "?:\\Windows\\system32\\silcollector.cmd", + "\\system32\\AppHostRegistrationVerifier.exe", + "\\system32\\ServerManagerLauncher.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-symbolic-link-to-shadow-copy-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-symbolic-link-to-shadow-copy-created.asciidoc new file mode 100644 index 0000000000..5d8cfe8fea --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-symbolic-link-to-shadow-copy-created.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-7-16-4-symbolic-link-to-shadow-copy-created]] +=== Symbolic Link to Shadow Copy Created + +Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink +* https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf +* https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/ +* https://www.hackingarticles.in/credential-dumping-ntds-dit/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access + +*Version*: 7 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Symbolic Link to Shadow Copy Created + +Shadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt +to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active +Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is +needed to extract these hashes and potentially conduct lateral movement. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine if a volume shadow copy was recently created on this endpoint. +- Review privileges of the end user as this requires administrative access. +- Verify if the ntds.dit file was successfully copied and determine its copy destination. +- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe. +- Investigate recent deletions of volume shadow copies. +- Identify other files potentially copied from volume shadow copy paths directly. + +### False positive analysis + +- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- If the entire domain or the `krbtgt` user was compromised: + - Activate your incident response plan for total Active Directory compromise which should include, but not be limited + to, a password reset (twice) of the `krbtgt` user. +- Locate and remove static files copied from volume shadow copies. +- Command-Line tool mklink should require administrative access by default unless in developer mode. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +Ensure advanced audit policies for Windows are enabled, specifically: +Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +System Audit Policies > +Object Access > +Audit File System (Success,Failure) +Audit Handle Manipulation (Success,Failure) +``` + +This event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments. +Direct access to a shell and calling symbolic link creation tools will not generate an event matching this rule. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start","process_created") and + process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE") and + + /* Create Symbolic Link to Shadow Copies */ + process.args : ("*mklink*", "*SymbolicLink*") and process.command_line : ("*HarddiskVolumeShadowCopy*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-system-log-file-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-system-log-file-deletion.asciidoc new file mode 100644 index 0000000000..40ac5297dc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-system-log-file-deletion.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-system-log-file-deletion]] +=== System Log File Deletion + +Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "deletion" and + file.path : + ( + "/var/run/utmp", + "/var/log/wtmp", + "/var/log/btmp", + "/var/log/lastlog", + "/var/log/faillog", + "/var/log/syslog", + "/var/log/messages", + "/var/log/secure", + "/var/log/auth.log" + ) and + not process.name : ("gzip") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-system-shells-via-services.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-system-shells-via-services.asciidoc new file mode 100644 index 0000000000..cec038fc58 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-system-shells-via-services.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-7-16-4-system-shells-via-services]] +=== System Shells via Services + +Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 15 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating System Shells via Services + +Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from +administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads. + +This rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify how the service was created or modified. Look for registry changes events or Windows events related to +service activities (for example, 4697 and/or 7045). + - Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check for commands executed under the spawned shell. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive +(B-TP), as this configuration can put the user and the domain at risk. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Delete the service or restore it to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "services.exe" and + process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") and + + /* Third party FP's */ + not process.args : "NVDisplay.ContainerLocalSystem" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-tampering-of-bash-command-line-history.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-tampering-of-bash-command-line-history.asciidoc new file mode 100644 index 0000000000..b9cd97180b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-tampering-of-bash-command-line-history.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-7-16-4-tampering-of-bash-command-line-history]] +=== Tampering of Bash Command-Line History + +Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* macOS +* Threat Detection +* Defense Evasion + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ( + ((process.args : ("rm", "echo") or + (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or + (process.args : "truncate" and process.args : "-s0")) + and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history", + ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or + (process.name : "history" and process.args : "-c") or + (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or + (process.args : "unset" and process.args : "HISTFILE") or + (process.args : "set" and process.args : "history" and process.args : "+o") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Command History +** ID: T1070.003 +** Reference URL: https://attack.mitre.org/techniques/T1070/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc new file mode 100644 index 0000000000..e2a8635902 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-7-16-4-tcc-bypass-via-mounted-apfs-snapshot-access]] +=== TCC Bypass via Mounted APFS Snapshot Access + +Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple’s privacy framework (TCC). + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://theevilbit.github.io/posts/cve_2020_9771/ + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Defense Evasion +* CVE_2020_9771 + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category : process and event.type : (start or process_started) and process.name : mount_apfs and + process.args : (/System/Volumes/Data and noowners) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Direct Volume Access +** ID: T1006 +** Reference URL: https://attack.mitre.org/techniques/T1006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-third-party-backup-files-deleted-via-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-third-party-backup-files-deleted-via-unexpected-process.asciidoc new file mode 100644 index 0000000000..2a4c9d7d33 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-third-party-backup-files-deleted-via-unexpected-process.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-7-16-4-third-party-backup-files-deleted-via-unexpected-process]] +=== Third-party Backup Files Deleted via Unexpected Process + +Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Impact + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Third-party Backup Files Deleted via Unexpected Process + +Backups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing +data recovery, making them a valuable target. + +Attackers can delete backups from the host and gain access to backup servers to remove centralized backups for the +environment, ensuring that victims have no alternatives to paying the ransom. + +This rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete +Veritas or Veeam backups. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if any files on the host machine have been encrypted. + +### False positive analysis + +- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are +not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together. + +### Related rules + +- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "deletion" and + ( + /* Veeam Related Backup Files */ + (file.extension : ("VBK", "VIB", "VBM") and + not process.executable : ("?:\\Windows\\Veeam\\Backup\\*", + "?:\\Program Files\\Veeam\\Backup and Replication\\*", + "?:\\Program Files (x86)\\Veeam\\Backup and Replication\\*")) or + + /* Veritas Backup Exec Related Backup File */ + (file.extension : "BKF" and + not process.executable : ("?:\\Program Files\\Veritas\\Backup Exec\\*", + "?:\\Program Files (x86)\\Veritas\\Backup Exec\\*")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-threat-detected-by-okta-threatinsight.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-threat-detected-by-okta-threatinsight.asciidoc new file mode 100644 index 0000000000..96be14539f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-threat-detected-by-okta-threatinsight.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-7-16-4-threat-detected-by-okta-threatinsight]] +=== Threat Detected by Okta ThreatInsight + +Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Monitoring + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:security.threat.detected + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-timestomping-using-touch-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-timestomping-using-touch-command.asciidoc new file mode 100644 index 0000000000..c909e8c476 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-timestomping-using-touch-command.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-timestomping-using-touch-command]] +=== Timestomping using Touch Command + +Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* macOS +* Threat Detection +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.name : "touch" and user.id != "0" and + process.args : ("-r", "-t", "-a*","-m*") and + not process.args : ("/usr/lib/go-*/bin/go", "/usr/lib/dracut/dracut-functions.sh", "/tmp/KSInstallAction.*/m/.patch/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Timestomp +** ID: T1070.006 +** Reference URL: https://attack.mitre.org/techniques/T1070/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc new file mode 100644 index 0000000000..44ea03a370 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-7-16-4-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer]] +=== UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer + +Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and + process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding" + + /* uncomment once in winlogbeat */ + /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc new file mode 100644 index 0000000000..6f27f99b96 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-7-16-4-uac-bypass-attempt-via-privileged-ifileoperation-com-interface]] +=== UAC Bypass Attempt via Privileged IFileOperation COM Interface + +Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/hfiref0x/UACME + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type : "change" and process.name : "dllhost.exe" and + /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */ + file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and + /* has no impact on rule logic just to avoid OS install related FPs */ + not file.path : ("C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\WinSxS\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc new file mode 100644 index 0000000000..4bc6f0c87e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-7-16-4-uac-bypass-attempt-via-windows-directory-masquerading]] +=== UAC Bypass Attempt via Windows Directory Masquerading + +Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating UAC Bypass Attempt via Windows Directory Masquerading + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +This rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows +directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file +modifications, and any spawned child processes. +- If any of the spawned processes are suspicious, retrieve them and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc new file mode 100644 index 0000000000..fc92355a21 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-7-16-4-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface]] +=== UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface + +Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/hfiref0x/UACME + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.name : "Clipup.exe" and + not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and + /* CLSID of the Elevated COM Interface IEditionUpgradeManager */ + process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc new file mode 100644 index 0000000000..31993664f9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-uac-bypass-via-diskcleanup-scheduled-task-hijack]] +=== UAC Bypass via DiskCleanup Scheduled Task Hijack + +Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.args : "/autoclean" and process.args : "/d" and + not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe", + "C:\\Windows\\SysWOW64\\cleanmgr.exe", + "C:\\Windows\\System32\\taskhostw.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc new file mode 100644 index 0000000000..1240ea5973 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-7-16-4-uac-bypass-via-icmluautil-elevated-com-interface]] +=== UAC Bypass via ICMLuaUtil Elevated COM Interface + +Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name == "dllhost.exe" and + process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and + process.pe.original_file_name != "WerFault.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc new file mode 100644 index 0000000000..f0f17e80cf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-7-16-4-uac-bypass-via-windows-firewall-snap-in-hijack]] +=== UAC Bypass via Windows Firewall Snap-In Hijack + +Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/AzAgarampur/byeintegrity-uac + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating UAC Bypass via Windows Firewall Snap-In Hijack + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +This rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) +Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file +modifications, and any spawned child processes. +- If any of the spawned processes are suspicious, retrieve them and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name == "mmc.exe" and + /* process.Ext.token.integrity_level_name == "high" can be added in future for tuning */ + /* args of the Windows Firewall SnapIn */ + process.parent.args == "WF.msc" and process.name != "WerFault.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unauthorized-access-to-an-okta-application.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unauthorized-access-to-an-okta-application.asciidoc new file mode 100644 index 0000000000..e19d4d188b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unauthorized-access-to-an-okta-application.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-7-16-4-unauthorized-access-to-an-okta-application]] +=== Unauthorized Access to an Okta Application + +Identifies unauthorized access attempts to Okta applications. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Identity +* Okta +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unexpected-child-process-of-macos-screensaver-engine.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unexpected-child-process-of-macos-screensaver-engine.asciidoc new file mode 100644 index 0000000000..1a886575bf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unexpected-child-process-of-macos-screensaver-engine.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-7-16-4-unexpected-child-process-of-macos-screensaver-engine]] +=== Unexpected Child Process of macOS Screensaver Engine + +Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/saving-your-access-d562bf5bf90b +* https://github.com/D00MFist/PersistentJXA + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Persistence + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such +as a download of a payload from a server. +- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to +identify whether the file is malicious or not. + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and process.parent.name == "ScreenSaverEngine" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Screensaver +** ID: T1546.002 +** Reference URL: https://attack.mitre.org/techniques/T1546/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-aws-command-for-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-aws-command-for-a-user.asciidoc new file mode 100644 index 0000000000..e62cf6e7d4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-aws-command-for-a-user.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-7-16-4-unusual-aws-command-for-a-user]] +=== Unusual AWS Command for a User + +A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* ML + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual AWS Command for a User + +CloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and +understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity +when deviations occur. + +This rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is +being made by a user context that does not normally use the command. This can be the result of compromised credentials or +keys as someone uses a valid account to persist, move laterally, or exfiltrate data. + +Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM +user. + +#### Possible investigation steps + +- Identify the user account involved and the action performed. Verify whether it should perform this kind of action. + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. + - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Investigate other alerts associated with the user account during the past 48 hours. +- Validate the activity is not related to planned patches, updates, or network administrator activity. +- Examine the request parameters. These might indicate the source of the program or the nature of its tasks. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal +time of day? +- Contact the account owner and confirm whether they are aware of this activity if suspicious. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- Examine the history of the command. If the command only manifested recently, it might be part of a new automation +module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), +it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field. + +### Related Rules + +- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276 +- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1 +- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff +- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-child-process-from-a-system-virtual-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-child-process-from-a-system-virtual-process.asciidoc new file mode 100644 index 0000000000..37be78bb4f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-child-process-from-a-system-virtual-process.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-7-16-4-unusual-child-process-from-a-system-virtual-process]] +=== Unusual Child Process from a System Virtual Process + +Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.pid == 4 and + not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-child-process-of-dns-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-child-process-of-dns-exe.asciidoc new file mode 100644 index 0000000000..cd90ac3b53 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-child-process-of-dns-exe.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-7-16-4-unusual-child-process-of-dns-exe]] +=== Unusual Child Process of dns.exe + +Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ +* https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ +* https://github.com/maxpl0it/CVE-2020-1350-DoS + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Child Process of dns.exe + +SIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server +versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated +privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can +effectively compromise the entire corporate infrastructure. + +This rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a +similar remote code execution vulnerability in the DNS server. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. + - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's + impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in + discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`). + - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be + considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, + `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`. + - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to + `werfault.exe` occurring. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file +modifications, and any spawned child processes. +- Investigate other alerts associated with the host during the past 48 hours. +- Check whether the server is vulnerable to CVE-2020-1350. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Reimage the host operating system or restore the compromised server to a clean state. +- Install the latest patches on systems that run Microsoft DNS Server. +- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS). +- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, +persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and process.parent.name : "dns.exe" and + not process.name : "conhost.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: External Remote Services +** ID: T1133 +** Reference URL: https://attack.mitre.org/techniques/T1133/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-child-processes-of-rundll32.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-child-processes-of-rundll32.asciidoc new file mode 100644 index 0000000000..31119e30e7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-child-processes-of-rundll32.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-unusual-child-processes-of-rundll32]] +=== Unusual Child Processes of RunDLL32 + +Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 21 + +*Runs every*: 30m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1h + [process where event.type in ("start", "process_started") and + (process.name : "rundll32.exe" or process.pe.original_file_name == "RUNDLL32.EXE") and + process.args_count == 1 + ] by process.entity_id + [process where event.type in ("start", "process_started") and process.parent.name : "rundll32.exe" + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-city-for-an-aws-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-city-for-an-aws-command.asciidoc new file mode 100644 index 0000000000..e183086b7a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-city-for-an-aws-command.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-7-16-4-unusual-city-for-an-aws-command]] +=== Unusual City For an AWS Command + +A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* ML + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual City For an AWS Command + +CloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and +understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity +when deviations occur. + +This rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is +sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or +keys used by a threat actor in a different geography than the authorized user(s). + +Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation +of the source IP address. + +#### Possible investigation steps + +- Identify the user account involved and the action performed. Verify whether it should perform this kind of action. + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. + - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Investigate other alerts associated with the user account during the past 48 hours. +- Validate the activity is not related to planned patches, updates, or network administrator activity. +- Examine the request parameters. These might indicate the source of the program or the nature of its tasks. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal +time of day? +- Contact the account owner and confirm whether they are aware of this activity if suspicious. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False positive analysis + +- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS. +- Examine the history of the command. If the command only manifested recently, it might be part of a new automation +module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), +it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field. + +### Related Rules + +- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1 +- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1 +- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff +- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-country-for-an-aws-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-country-for-an-aws-command.asciidoc new file mode 100644 index 0000000000..e51992b461 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-country-for-an-aws-command.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-7-16-4-unusual-country-for-an-aws-command]] +=== Unusual Country For an AWS Command + +A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Cloud +* AWS +* ML + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Country For an AWS Command + +CloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and +understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity +when deviations occur. + +This rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is +sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials +or keys used by a threat actor in a different geography than the authorized user(s). + +Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation +of the source IP address. + +#### Possible investigation steps + +- Identify the user account involved and the action performed. Verify whether it should perform this kind of action. + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. + - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Investigate other alerts associated with the user account during the past 48 hours. +- Validate the activity is not related to planned patches, updates, or network administrator activity. +- Examine the request parameters. These might indicate the source of the program or the nature of its tasks. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source + IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? + Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal +time of day? +- Contact the account owner and confirm whether they are aware of this activity if suspicious. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, +and data accessed by the account in the last 24 hours. + +### False Positive Analysis + +- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS. +- Examine the history of the command. If the command only manifested recently, it might be part of a new automation +module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), +it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field. + +### Related Rules + +- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276 +- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1 +- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff +- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with +your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-dns-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-dns-activity.asciidoc new file mode 100644 index 0000000000..eb6aa23e3c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-dns-activity.asciidoc @@ -0,0 +1,54 @@ +[[prebuilt-rule-7-16-4-unusual-dns-activity]] +=== Unusual DNS Activity + +A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Network +* Threat Detection +* ML +* Command and Control + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: DNS +** ID: T1071.004 +** Reference URL: https://attack.mitre.org/techniques/T1071/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-executable-file-creation-by-a-system-critical-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-executable-file-creation-by-a-system-critical-process.asciidoc new file mode 100644 index 0000000000..1bc1a5b7bb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-executable-file-creation-by-a-system-critical-process.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-7-16-4-unusual-executable-file-creation-by-a-system-critical-process]] +=== Unusual Executable File Creation by a System Critical Process + +Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Executable File Creation by a System Critical Process + +Windows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these +characteristics is file operations. + +This rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation +of a vulnerability or a malicious process masquerading as a system-critical process. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file +modifications, and any spawned child processes. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type != "deletion" and + file.extension : ("exe", "dll") and + process.name : ("smss.exe", + "autochk.exe", + "csrss.exe", + "wininit.exe", + "services.exe", + "lsass.exe", + "winlogon.exe", + "userinit.exe", + "LogonUI.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Exploitation for Defense Evasion +** ID: T1211 +** Reference URL: https://attack.mitre.org/techniques/T1211/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-file-creation-alternate-data-stream.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-file-creation-alternate-data-stream.asciidoc new file mode 100644 index 0000000000..f2f9ccdff6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-file-creation-alternate-data-stream.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-7-16-4-unusual-file-creation-alternate-data-stream]] +=== Unusual File Creation - Alternate Data Stream + +Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "creation" and + file.path : "C:\\*:*" and + not file.path : "C:\\*:zone.identifier*" and + file.extension : + ( + "pdf", + "dll", + "png", + "exe", + "dat", + "com", + "bat", + "cmd", + "sys", + "vbs", + "ps1", + "hta", + "txt", + "vbe", + "js", + "wsh", + "docx", + "doc", + "xlsx", + "xls", + "pptx", + "ppt", + "rtf", + "gif", + "jpg", + "png", + "bmp", + "img", + "iso" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: NTFS File Attributes +** ID: T1564.004 +** Reference URL: https://attack.mitre.org/techniques/T1564/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-file-modification-by-dns-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-file-modification-by-dns-exe.asciidoc new file mode 100644 index 0000000000..dc71ceeda5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-file-modification-by-dns-exe.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-7-16-4-unusual-file-modification-by-dns-exe]] +=== Unusual File Modification by dns.exe + +Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ +* https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual File Write +Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: +- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. +- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care. + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and + not file.name : "dns.log" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: External Remote Services +** ID: T1133 +** Reference URL: https://attack.mitre.org/techniques/T1133/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-hour-for-a-user-to-logon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-hour-for-a-user-to-logon.asciidoc new file mode 100644 index 0000000000..d8152dffe0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-hour-for-a-user-to-logon.asciidoc @@ -0,0 +1,50 @@ +[[prebuilt-rule-7-16-4-unusual-hour-for-a-user-to-logon]] +=== Unusual Hour for a User to Logon + +A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Authentication +* Threat Detection +* ML +* Initial Access + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-network-connection-via-dllhost.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-network-connection-via-dllhost.asciidoc new file mode 100644 index 0000000000..c2e6dad336 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-network-connection-via-dllhost.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-7-16-4-unusual-network-connection-via-dllhost]] +=== Unusual Network Connection via DllHost + +Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ +* https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1m + [process where event.type in ("start", "process_started") and process.name : "dllhost.exe" and process.args_count == 1] + [network where process.name : "dllhost.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-network-connection-via-rundll32.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-network-connection-via-rundll32.asciidoc new file mode 100644 index 0000000000..8b0f2e4487 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-network-connection-via-rundll32.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-7-16-4-unusual-network-connection-via-rundll32]] +=== Unusual Network Connection via RunDLL32 + +Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml +* https://redcanary.com/threat-detection-report/techniques/rundll32/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 13 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Network Connection via RunDLL32 + +RunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality +provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to +differentiate malicious activity from normal operations. + +This rule looks for external network connections established using RunDLL32 when the utility is being executed with no +arguments, which can potentially indicate command and control activity. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the target host that RunDLL32 is communicating with. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. +- Identify the target computer and its role in the IT environment. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, +persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1m + [process where event.type in ("start", "process_started") and process.name : "rundll32.exe" and process.args_count == 1] + [network where process.name : "rundll32.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-parent-child-relationship.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-parent-child-relationship.asciidoc new file mode 100644 index 0000000000..c8196758e7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-parent-child-relationship.asciidoc @@ -0,0 +1,156 @@ +[[prebuilt-rule-7-16-4-unusual-parent-child-relationship]] +=== Unusual Parent-Child Relationship + +Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png +* https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 14 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Parent-Child Relationship + +Windows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these +characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the +system and then alert on occurrences that don't comply with the baseline. + +This rule uses this information to spot suspicious parent and child processes. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file +modifications, and any spawned child processes. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and +process.parent.name != null and + ( + /* suspicious parent processes */ + (process.name:"autochk.exe" and not process.parent.name:"smss.exe") or + (process.name:("fontdrvhost.exe", "dwm.exe") and not process.parent.name:("wininit.exe", "winlogon.exe")) or + (process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and not process.parent.name:"svchost.exe") or + (process.name:"SearchIndexer.exe" and not process.parent.name:"services.exe") or + (process.name:"SearchProtocolHost.exe" and not process.parent.name:("SearchIndexer.exe", "dllhost.exe")) or + (process.name:"dllhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"smss.exe" and not process.parent.name:("System", "smss.exe")) or + (process.name:"csrss.exe" and not process.parent.name:("smss.exe", "svchost.exe")) or + (process.name:"wininit.exe" and not process.parent.name:"smss.exe") or + (process.name:"winlogon.exe" and not process.parent.name:"smss.exe") or + (process.name:("lsass.exe", "LsaIso.exe") and not process.parent.name:"wininit.exe") or + (process.name:"LogonUI.exe" and not process.parent.name:("wininit.exe", "winlogon.exe")) or + (process.name:"services.exe" and not process.parent.name:"wininit.exe") or + (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe")) or + (process.name:"spoolsv.exe" and not process.parent.name:"services.exe") or + (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe")) or + (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or + /* suspicious child processes */ + (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe")) or + (process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or + (process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe")) or + (process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or + (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-parent-process-for-cmd-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-parent-process-for-cmd-exe.asciidoc new file mode 100644 index 0000000000..de9d7f00a6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-parent-process-for-cmd-exe.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-7-16-4-unusual-parent-process-for-cmd-exe]] +=== Unusual Parent Process for cmd.exe + +Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Execution + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : "cmd.exe" and + process.parent.name : ("lsass.exe", + "csrss.exe", + "epad.exe", + "regsvr32.exe", + "dllhost.exe", + "LogonUI.exe", + "wermgr.exe", + "spoolsv.exe", + "jucheck.exe", + "jusched.exe", + "ctfmon.exe", + "taskhostw.exe", + "GoogleUpdate.exe", + "sppsvc.exe", + "sihost.exe", + "slui.exe", + "SIHClient.exe", + "SearchIndexer.exe", + "SearchProtocolHost.exe", + "FlashPlayerUpdateService.exe", + "WerFault.exe", + "WUDFHost.exe", + "unsecapp.exe", + "wlanext.exe" ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-print-spooler-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-print-spooler-child-process.asciidoc new file mode 100644 index 0000000000..e979014a57 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-print-spooler-child-process.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-7-16-4-unusual-print-spooler-child-process]] +=== Unusual Print Spooler Child Process + +Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.parent.name : "spoolsv.exe" and + (?process.Ext.token.integrity_level_name : "System" or + ?winlog.event_data.IntegrityLevel : "System") and + + /* exclusions for FP control below */ + not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and + not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and + not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and + not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and + not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and + not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-process-execution-path-alternate-data-stream.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-process-execution-path-alternate-data-stream.asciidoc new file mode 100644 index 0000000000..d070f24cb7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-process-execution-path-alternate-data-stream.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-unusual-process-execution-path-alternate-data-stream]] +=== Unusual Process Execution Path - Alternate Data Stream + +Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.args : "?:\\*:*" and process.args_count == 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: NTFS File Attributes +** ID: T1564.004 +** Reference URL: https://attack.mitre.org/techniques/T1564/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-process-execution-temp.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-process-execution-temp.asciidoc new file mode 100644 index 0000000000..476bdb6797 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-process-execution-temp.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-7-16-4-unusual-process-execution-temp]] +=== Unusual Process Execution - Temp + +Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* Threat Detection +* Execution + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:(start or process_started) and process.working_directory:/tmp and + not process.parent.name:(update-motd-updates-available or + apt or apt-* or + cnf-update-db or + appstreamcli or + unattended-upgrade or + packagekitd) and + not process.args:(/usr/lib/update-notifier/update-motd-updates-available or + /var/lib/command-not-found/) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-process-network-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-process-network-connection.asciidoc new file mode 100644 index 0000000000..e6e8779818 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-process-network-connection.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-7-16-4-unusual-process-network-connection]] +=== Unusual Process Network Connection + +Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Process Network Connection + +This rule identifies network activity from unexpected system utilities and applications. These applications are commonly +abused by attackers to execute code, evade detections, and bypass security protections. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the target host that the process is communicating with. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, +persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where (process.name : "Microsoft.Workflow.Compiler.exe" or + process.name : "bginfo.exe" or + process.name : "cdb.exe" or + process.name : "cmstp.exe" or + process.name : "csi.exe" or + process.name : "dnx.exe" or + process.name : "fsi.exe" or + process.name : "ieexec.exe" or + process.name : "iexpress.exe" or + process.name : "odbcconf.exe" or + process.name : "rcsi.exe" or + process.name : "xwizard.exe") and + event.type == "start"] + [network where (process.name : "Microsoft.Workflow.Compiler.exe" or + process.name : "bginfo.exe" or + process.name : "cdb.exe" or + process.name : "cmstp.exe" or + process.name : "csi.exe" or + process.name : "dnx.exe" or + process.name : "fsi.exe" or + process.name : "ieexec.exe" or + process.name : "iexpress.exe" or + process.name : "odbcconf.exe" or + process.name : "rcsi.exe" or + process.name : "xwizard.exe")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-service-host-child-process-childless-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-service-host-child-process-childless-service.asciidoc new file mode 100644 index 0000000000..8d1db6e601 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-service-host-child-process-childless-service.asciidoc @@ -0,0 +1,104 @@ +[[prebuilt-rule-7-16-4-unusual-service-host-child-process-childless-service]] +=== Unusual Service Host Child Process - Childless Service + +Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion +* Privilege Escalation + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : "svchost.exe" and + + /* based on svchost service arguments -s svcname where the service is known to be childless */ + + process.parent.args : ("WdiSystemHost","LicenseManager", + "StorSvc","CDPSvc","cdbhsvc","BthAvctpSvc","SstpSvc","WdiServiceHost", + "imgsvc","TrkWks","WpnService","IKEEXT","PolicyAgent","CryptSvc", + "netprofm","ProfSvc","StateRepository","camsvc","LanmanWorkstation", + "NlaSvc","EventLog","hidserv","DisplayEnhancementService","ShellHWDetection", + "AppHostSvc","fhsvc","CscService","PushToInstall") and + + /* unknown FPs can be added here */ + + not process.name : ("WerFault.exe","WerFaultSecure.exe","wermgr.exe") and + not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and + not (process.name : "rundll32.exe" and + process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and process.parent.args : "WdiServiceHost") and + not (process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\Kodak\\kds_i4x50\\lib\\lexexe.exe") and + process.parent.args : "imgsvc") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-source-ip-for-a-user-to-logon-from.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-source-ip-for-a-user-to-logon-from.asciidoc new file mode 100644 index 0000000000..0cd41b23f8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-source-ip-for-a-user-to-logon-from.asciidoc @@ -0,0 +1,50 @@ +[[prebuilt-rule-7-16-4-unusual-source-ip-for-a-user-to-logon-from]] +=== Unusual Source IP for a User to Logon from + +A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Authentication +* Threat Detection +* ML +* Initial Access + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-web-request.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-web-request.asciidoc new file mode 100644 index 0000000000..41465d0621 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-web-request.asciidoc @@ -0,0 +1,54 @@ +[[prebuilt-rule-7-16-4-unusual-web-request]] +=== Unusual Web Request + +A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Network +* Threat Detection +* ML +* Command and Control + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: Web Protocols +** ID: T1071.001 +** Reference URL: https://attack.mitre.org/techniques/T1071/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-web-user-agent.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-web-user-agent.asciidoc new file mode 100644 index 0000000000..76aa3165bb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-unusual-web-user-agent.asciidoc @@ -0,0 +1,54 @@ +[[prebuilt-rule-7-16-4-unusual-web-user-agent]] +=== Unusual Web User Agent + +A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Elastic +* Network +* Threat Detection +* ML +* Command and Control + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: Web Protocols +** ID: T1071.001 +** Reference URL: https://attack.mitre.org/techniques/T1071/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-account-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-account-creation.asciidoc new file mode 100644 index 0000000000..f6cb1cdebc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-account-creation.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-7-16-4-user-account-creation]] +=== User Account Creation + +Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 14 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating User Account Creation + +Attackers may create new accounts (both local and domain) to maintain access to victim systems. + +This rule identifies the usage of `net.exe` to create new accounts. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Identify if the account was added to privileged groups or assigned special privileges after creation. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before +investigating further, verify that this activity is not benign. + +### Related rules + +- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Delete the created account. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : ("net.exe", "net1.exe") and + not process.parent.name : "net.exe" and + (process.args : "user" and process.args : ("/ad", "/add")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-account-exposed-to-kerberoasting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-account-exposed-to-kerberoasting.asciidoc new file mode 100644 index 0000000000..08b3dc7df3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-account-exposed-to-kerberoasting.asciidoc @@ -0,0 +1,153 @@ +[[prebuilt-rule-7-16-4-user-account-exposed-to-kerberoasting]] +=== User account exposed to Kerberoasting + +Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting +* https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/ +* https://www.thehacker.recipes/ad/movement/kerberos/kerberoast +* https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting +* https://adsecurity.org/?p=280 +* https://github.com/OTRF/Set-AuditRule + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Credential Access +* Active Directory + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating User account exposed to Kerberoasting + +Service Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target +computers. + +By default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default +domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making +them invulnerable to Kerberoasting. + +A user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any +user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret +key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this +information, as the human-defined password is likely to be less complex. + +For scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) +feature, which ensures that account passwords are robust and changed regularly and automatically. More information can +be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview). + +Attackers can also perform "Targeted Kerberoasting", which consists of adding fake SPNs to user accounts that they have +write privileges to, making them potentially vulnerable to Kerberoasting. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.). +- Investigate if tickets have been requested for the target account. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The +security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. +Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same +security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing +them to credential cracking attacks (Kerberoasting, brute force, etc.). + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. Prioritize privileged accounts. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +The above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule. +As this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise. + +``` +Set-AuditRule -AdObjectPath 'AD:\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"Directory Service Changes" and event.code:5136 and winlog.event_data.ObjectClass:"user" +and winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: Kerberoasting +** ID: T1558.003 +** Reference URL: https://attack.mitre.org/techniques/T1558/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-added-as-owner-for-azure-application.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-added-as-owner-for-azure-application.asciidoc new file mode 100644 index 0000000000..0f34adee17 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-added-as-owner-for-azure-application.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-7-16-4-user-added-as-owner-for-azure-application]] +=== User Added as Owner for Azure Application + +Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-added-as-owner-for-azure-service-principal.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-added-as-owner-for-azure-service-principal.asciidoc new file mode 100644 index 0000000000..a2479e5d73 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-added-as-owner-for-azure-service-principal.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-7-16-4-user-added-as-owner-for-azure-service-principal]] +=== User Added as Owner for Azure Service Principal + +Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals + +*Tags*: + +* Elastic +* Cloud +* Azure +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-added-to-privileged-group-in-active-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-added-to-privileged-group-in-active-directory.asciidoc new file mode 100644 index 0000000000..4b91f4a046 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-user-added-to-privileged-group-in-active-directory.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-7-16-4-user-added-to-privileged-group-in-active-directory]] +=== User Added to Privileged Group in Active Directory + +Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic +* Skoetting + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating User Added to Privileged Group in Active Directory + +Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are +granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. + +Attackers can add users to privileged groups to maintain a level of access if their other privileged accounts are +uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts. + +This rule monitors events related to a user being added to a privileged group. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should manage members of this group. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is +legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account +this level of privilege. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If the admin is not aware of the operation, activate your Active Directory incident response plan. +- If the user does not need the administrator privileges, remove the account from the privileged group. +- Review the privileges of the administrator account that performed the action. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +iam where event.action == "added-member-to-group" and + group.name : ("Admin*", + "Local Administrators", + "Domain Admins", + "Enterprise Admins", + "Backup Admins", + "Schema Admins", + "DnsAdmins", + "Exchange Organization Administrators") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-virtual-machine-fingerprinting-via-grep.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-virtual-machine-fingerprinting-via-grep.asciidoc new file mode 100644 index 0000000000..c644469f02 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-virtual-machine-fingerprinting-via-grep.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-7-16-4-virtual-machine-fingerprinting-via-grep]] +=== Virtual Machine Fingerprinting via Grep + +An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x4F.html + +*Tags*: + +* Elastic +* Host +* macOS +* Linux +* Threat Detection +* Discovery + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.name in ("grep", "egrep") and user.id != "0" and + process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and + not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-virtual-private-network-connection-attempt.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-virtual-private-network-connection-attempt.asciidoc new file mode 100644 index 0000000000..06e1927b2c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-virtual-private-network-connection-attempt.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-virtual-private-network-connection-attempt]] +=== Virtual Private Network Connection Attempt + +Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb +* https://www.unix.com/man-page/osx/8/networksetup/ +* https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx + +*Tags*: + +* Elastic +* Host +* macOS +* Threat Detection +* Lateral Movement + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ( + (process.name : "networksetup" and process.args : "-connectpppoeservice") or + (process.name : "scutil" and process.args : "--nc" and process.args : "start") or + (process.name : "osascript" and process.command_line : "osascript*set VPN to service*") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc new file mode 100644 index 0000000000..3eab5afd1d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-7-16-4-volume-shadow-copy-deleted-or-resized-via-vssadmin]] +=== Volume Shadow Copy Deleted or Resized via VssAdmin + +Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Impact + +*Version*: 16 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes +that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow +Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow +copies worth monitoring. + +This rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your +environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Priority should be given due to the advanced stage of this activity on the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") + and (process.name : "vssadmin.exe" or process.pe.original_file_name == "VSSADMIN.EXE") and + process.args in ("delete", "resize") and process.args : "shadows*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-volume-shadow-copy-deletion-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-volume-shadow-copy-deletion-via-powershell.asciidoc new file mode 100644 index 0000000000..5fa93d9ccd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-volume-shadow-copy-deletion-via-powershell.asciidoc @@ -0,0 +1,148 @@ +[[prebuilt-rule-7-16-4-volume-shadow-copy-deletion-via-powershell]] +=== Volume Shadow Copy Deletion via PowerShell + +Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy +* https://powershell.one/wmi/root/cimv2/win32_shadowcopy +* https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Impact + +*Version*: 7 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Volume Shadow Copy Deletion via PowerShell + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes +that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow +Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow +copies worth monitoring. + +This rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow +copy objects, and delete them. + +#### Possible investigation steps + +- Investigate the program execution chain (parent process tree). +- Check whether the account is authorized to perform this operation. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your +environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Priority should be given due to the advanced stage of this activity on the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.args : ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*") and + process.args : ("*Win32_ShadowCopy*") and + process.args : ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-volume-shadow-copy-deletion-via-wmic.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-volume-shadow-copy-deletion-via-wmic.asciidoc new file mode 100644 index 0000000000..7bd84023ab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-volume-shadow-copy-deletion-via-wmic.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-7-16-4-volume-shadow-copy-deletion-via-wmic]] +=== Volume Shadow Copy Deletion via WMIC + +Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Impact + +*Version*: 15 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Volume Shadow Copy Deletion via WMIC + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes +that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow +Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow +copies worth monitoring. + +This rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter. + +#### Possible investigation steps + +- Investigate the program execution chain (parent process tree). +- Check whether the account is authorized to perform this operation. +- Contact the account owner and confirm whether they are aware of this activity. +- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your +environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Priority should be given due to the advanced stage of this activity on the attack. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + (process.name : "WMIC.exe" or process.pe.original_file_name == "wmic.exe") and + process.args : "delete" and process.args : "shadowcopy" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-webserver-access-logs-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-webserver-access-logs-deleted.asciidoc new file mode 100644 index 0000000000..ae8a1f67e8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-webserver-access-logs-deleted.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-7-16-4-webserver-access-logs-deleted]] +=== WebServer Access Logs Deleted + +Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Linux +* Windows +* macOS +* Threat Detection +* Defense Evasion + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "deletion" and + file.path : ("C:\\inetpub\\logs\\LogFiles\\*.log", + "/var/log/apache*/access.log", + "/etc/httpd/logs/access_log", + "/var/log/httpd/access_log", + "/var/www/*/logs/access.log") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal on Host +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-webshell-detection-script-process-child-of-common-web-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-webshell-detection-script-process-child-of-common-web-processes.asciidoc new file mode 100644 index 0000000000..432e0459a8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-webshell-detection-script-process-child-of-common-web-processes.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-7-16-4-webshell-detection-script-process-child-of-common-web-processes]] +=== Webshell Detection: Script Process Child of Common Web Processes + +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Persistence + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Detections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized. + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and + process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-whitespace-padding-in-process-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-whitespace-padding-in-process-command-line.asciidoc new file mode 100644 index 0000000000..e2c1052202 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-whitespace-padding-in-process-command-line.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-7-16-4-whitespace-padding-in-process-command-line]] +=== Whitespace Padding in Process Command Line + +Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/JohnLaTwC/status/1419251082736201737 + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Whitespace Padding in Process Command Line + +This rule identifies process execution events where the command line value contains a long sequence of whitespace +characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections +by padding their malicious command with unnecessary whitespace characters. + +#### Possible investigation steps + +- Analyze the command line of the process in question for evidence of malicious code execution. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file +modifications, and any spawned child processes. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- Alerts derived from this rule are not inherently malicious. Analysts can dismiss the alert if they don't find enough +evidence of further suspicious activity. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove the malicious certificate from the root certificate store. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.command_line regex ".*[ ]{20,}.*" or + + /* this will match on 3 or more separate occurrences of 3+ contiguous whitespace characters */ + process.command_line regex "([^ ]+[ ]{3,}[^ ]*){3,}.*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-whoami-process-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-whoami-process-activity.asciidoc new file mode 100644 index 0000000000..c710834b10 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-whoami-process-activity.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-7-16-4-whoami-process-activity]] +=== Whoami Process Activity + +Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* logs-system.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Whoami Process Activity + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current +privileges, discover the current user, determine if a privilege escalation was successful, etc. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and process.name : "whoami.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Owner/User Discovery +** ID: T1033 +** Reference URL: https://attack.mitre.org/techniques/T1033/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-defender-disabled-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-defender-disabled-via-registry-modification.asciidoc new file mode 100644 index 0000000000..4141bbfe32 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-defender-disabled-via-registry-modification.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-7-16-4-windows-defender-disabled-via-registry-modification]] +=== Windows Defender Disabled via Registry Modification + +Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2020/12/13/defender-control/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Defender Disabled via Registry Modification + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple +environments. Disabling it is a common step in threat actor playbooks. + +This rule monitors the registry for configurations that disable Windows Defender or the start of its service. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate +software installations. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if this operation was approved and performed according to the organization's change management policy. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, +the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), +and no other suspicious activity has been observed. + +### Related rules + +- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87 +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Re-enable Windows Defender and restore the service configurations to automatic start. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where event.type in ("creation", "change") and + ( + ( + registry.path:"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" and + registry.data.strings: ("1", "0x00000001") + ) or + ( + registry.path:"HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start" and + registry.data.strings in ("3", "4", "0x00000003", "0x00000004") + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-defender-exclusions-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-defender-exclusions-added-via-powershell.asciidoc new file mode 100644 index 0000000000..38fd2d2bfd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-defender-exclusions-added-via-powershell.asciidoc @@ -0,0 +1,154 @@ +[[prebuilt-rule-7-16-4-windows-defender-exclusions-added-via-powershell]] +=== Windows Defender Exclusions Added via PowerShell + +Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 11 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Defender Exclusions Added via PowerShell + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is +used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration +settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of +the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) +was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Examine the exclusion in order to determine the intent behind it. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This rule has a high chance to produce false positives due to how often network administrators legitimately configure +exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many +legitimate reasons for exclusions, so it's important to gain context. + +### Related rules + +- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb +- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Exclusion lists for antimalware capabilities should always be routinely monitored for review. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and + process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and + process.args : ("*-Exclusion*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-firewall-disabled-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-firewall-disabled-via-powershell.asciidoc new file mode 100644 index 0000000000..9d6ab9fc09 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-firewall-disabled-via-powershell.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-7-16-4-windows-firewall-disabled-via-powershell]] +=== Windows Firewall Disabled via PowerShell + +Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps +* https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell +* http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +* http://woshub.com/manage-windows-firewall-powershell/ + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Defense Evasion + +*Version*: 8 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Firewall Disabled via PowerShell + +Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a +device and blocks unauthorized network traffic flowing into or out of the local device. + +Attackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity. + +This rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` +PowerShell cmdlet. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. + +### False positive analysis + +- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing +troubleshooting. +- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Re-enable the firewall with its desired configurations. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and + process.args : "*Set-NetFirewallProfile*" and + (process.args : "*-Enabled*" and process.args : "*False*") and + (process.args : "*-All*" or process.args : ("*Public*", "*Domain*", "*Private*")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-network-enumeration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-network-enumeration.asciidoc new file mode 100644 index 0000000000..fb95ab7447 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-network-enumeration.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-7-16-4-windows-network-enumeration]] +=== Windows Network Enumeration + +Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Discovery + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Network Enumeration + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives +or printers. This information is useful to attackers as they can identify targets for lateral movements and search for +valuable shared data. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or + ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and + not process.parent.name : "net.exe")) and + (process.args : "view" or (process.args : "time" and process.args : "\\\\*")) + + + /* expand when ancestry is available + and not descendant of [process where event.type == ("start", "process_started") and process.name : "cmd.exe" and + ((process.parent.name : "userinit.exe") or + (process.parent.name : "gpscript.exe") or + (process.parent.name : "explorer.exe" and + process.args : "C:\\*\\Start Menu\\Programs\\Startup\\*.bat*"))] + */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Network Share Discovery +** ID: T1135 +** Reference URL: https://attack.mitre.org/techniques/T1135/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-script-executing-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-script-executing-powershell.asciidoc new file mode 100644 index 0000000000..d442d7f035 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-script-executing-powershell.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-7-16-4-windows-script-executing-powershell]] +=== Windows Script Executing PowerShell + +Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 14 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Script Executing PowerShell + +The Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, +such as logon scripting, administrative scripting, and machine automation. + +Attackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but +can also use them to download tools and utilities needed to accomplish their goals. + +This rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate commands executed by the spawned PowerShell process. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Determine how the script file was delivered (email attachment, dropped by other processes, etc.). +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives +(B-TPs), exceptions can be added. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-script-interpreter-executing-process-via-wmi.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-script-interpreter-executing-process-via-wmi.asciidoc new file mode 100644 index 0000000000..e8f2bac4fd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-script-interpreter-executing-process-via-wmi.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-7-16-4-windows-script-interpreter-executing-process-via-wmi]] +=== Windows Script Interpreter Executing Process via WMI + +Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Initial Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 5s + [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")] + [process where event.type in ("start", "process_started") and + process.parent.name : "wmiprvse.exe" and + user.domain != "NT AUTHORITY" and + (process.pe.original_file_name : + ( + "cscript.exe", + "wscript.exe", + "PowerShell.EXE", + "Cmd.Exe", + "MSHTA.EXE", + "RUNDLL32.EXE", + "REGSVR32.EXE", + "MSBuild.exe", + "InstallUtil.exe", + "RegAsm.exe", + "RegSvcs.exe", + "msxsl.exe", + "CONTROL.EXE", + "EXPLORER.EXE", + "Microsoft.Workflow.Compiler.exe", + "msiexec.exe" + ) or + process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe") + ) + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-service-installed-via-an-unusual-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-service-installed-via-an-unusual-client.asciidoc new file mode 100644 index 0000000000..622ecdb85f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-windows-service-installed-via-an-unusual-client.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-7-16-4-windows-service-installed-via-an-unusual-client]] +=== Windows Service Installed via an Unusual Client + +Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.x86matthew.com/view_post?id=create_svc_rpc +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md + +*Tags*: + +* Elastic +* Host +* Windows +* Threat Detection +* Privilege Escalation + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The 'Audit Security System Extension' logging policy must be configured for (Success) +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +System > +Audit Security System Extension (Success) +``` + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"service-installed" and (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-zoom-meeting-with-no-passcode.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-zoom-meeting-with-no-passcode.asciidoc new file mode 100644 index 0000000000..3f61dd20db --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rule-7-16-4-zoom-meeting-with-no-passcode.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-7-16-4-zoom-meeting-with-no-passcode]] +=== Zoom Meeting with no Passcode + +This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.zoom.us/a-message-to-our-users/ +* https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic + +*Tags*: + +* Elastic +* Application +* Communication +* Zoom +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup + +The Zoom Filebeat module or similarly structured data is required to be compatible with this rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.type:creation and event.module:zoom and event.dataset:zoom.webhook and + event.action:meeting.created and not zoom.meeting.password:* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rules-7-16-4-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rules-7-16-4-appendix.asciidoc new file mode 100644 index 0000000000..03c76ce9ee --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rules-7-16-4-appendix.asciidoc @@ -0,0 +1,520 @@ +["appendix",role="exclude",id="prebuilt-rule-7-16-4-prebuilt-rules-7-16-4-appendix"] += Downloadable rule update v7.16.4 + +This section lists all updates associated with version 7.16.4 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-7-16-4-potential-cookies-theft-via-browser-debugging.asciidoc[] +include::prebuilt-rule-7-16-4-webserver-access-logs-deleted.asciidoc[] +include::prebuilt-rule-7-16-4-tampering-of-bash-command-line-history.asciidoc[] +include::prebuilt-rule-7-16-4-elastic-agent-service-terminated.asciidoc[] +include::prebuilt-rule-7-16-4-timestomping-using-touch-command.asciidoc[] +include::prebuilt-rule-7-16-4-security-software-discovery-via-grep.asciidoc[] +include::prebuilt-rule-7-16-4-virtual-machine-fingerprinting-via-grep.asciidoc[] +include::prebuilt-rule-7-16-4-potential-reverse-shell-activity-via-terminal.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-java-child-process.asciidoc[] +include::prebuilt-rule-7-16-4-hosts-file-modified.asciidoc[] +include::prebuilt-rule-7-16-4-zoom-meeting-with-no-passcode.asciidoc[] +include::prebuilt-rule-7-16-4-aws-cloudtrail-log-created.asciidoc[] +include::prebuilt-rule-7-16-4-aws-iam-brute-force-of-assume-role-policy.asciidoc[] +include::prebuilt-rule-7-16-4-aws-iam-user-addition-to-group.asciidoc[] +include::prebuilt-rule-7-16-4-aws-management-console-brute-force-of-root-user-identity.asciidoc[] +include::prebuilt-rule-7-16-4-aws-access-secret-in-secrets-manager.asciidoc[] +include::prebuilt-rule-7-16-4-aws-cloudtrail-log-deleted.asciidoc[] +include::prebuilt-rule-7-16-4-aws-cloudtrail-log-suspended.asciidoc[] +include::prebuilt-rule-7-16-4-aws-cloudwatch-alarm-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-config-resource-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-configuration-recorder-stopped.asciidoc[] +include::prebuilt-rule-7-16-4-aws-vpc-flow-logs-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-ec2-network-access-control-list-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-elasticache-security-group-created.asciidoc[] +include::prebuilt-rule-7-16-4-aws-elasticache-security-group-modified-or-deleted.asciidoc[] +include::prebuilt-rule-7-16-4-aws-guardduty-detector-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-s3-bucket-configuration-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-waf-access-control-list-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-waf-rule-or-rule-group-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-ec2-full-network-packet-capture-detected.asciidoc[] +include::prebuilt-rule-7-16-4-aws-ec2-snapshot-activity.asciidoc[] +include::prebuilt-rule-7-16-4-aws-ec2-vm-export-failure.asciidoc[] +include::prebuilt-rule-7-16-4-aws-rds-snapshot-export.asciidoc[] +include::prebuilt-rule-7-16-4-aws-rds-snapshot-restored.asciidoc[] +include::prebuilt-rule-7-16-4-aws-eventbridge-rule-disabled-or-deleted.asciidoc[] +include::prebuilt-rule-7-16-4-aws-cloudtrail-log-updated.asciidoc[] +include::prebuilt-rule-7-16-4-aws-cloudwatch-log-group-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-cloudwatch-log-stream-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-ec2-encryption-disabled.asciidoc[] +include::prebuilt-rule-7-16-4-aws-efs-file-system-or-mount-deleted.asciidoc[] +include::prebuilt-rule-7-16-4-aws-iam-deactivation-of-mfa-device.asciidoc[] +include::prebuilt-rule-7-16-4-aws-iam-group-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-rds-security-group-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-aws-deletion-of-rds-instance-or-cluster.asciidoc[] +include::prebuilt-rule-7-16-4-aws-rds-instance-cluster-stoppage.asciidoc[] +include::prebuilt-rule-7-16-4-aws-management-console-root-login.asciidoc[] +include::prebuilt-rule-7-16-4-aws-iam-password-recovery-requested.asciidoc[] +include::prebuilt-rule-7-16-4-aws-execution-via-system-manager.asciidoc[] +include::prebuilt-rule-7-16-4-spike-in-aws-error-messages.asciidoc[] +include::prebuilt-rule-7-16-4-rare-aws-error-code.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-city-for-an-aws-command.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-country-for-an-aws-command.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-aws-command-for-a-user.asciidoc[] +include::prebuilt-rule-7-16-4-aws-ec2-network-access-control-list-creation.asciidoc[] +include::prebuilt-rule-7-16-4-aws-security-group-configuration-change-detection.asciidoc[] +include::prebuilt-rule-7-16-4-aws-iam-group-creation.asciidoc[] +include::prebuilt-rule-7-16-4-aws-rds-cluster-creation.asciidoc[] +include::prebuilt-rule-7-16-4-aws-rds-security-group-creation.asciidoc[] +include::prebuilt-rule-7-16-4-aws-rds-instance-creation.asciidoc[] +include::prebuilt-rule-7-16-4-aws-redshift-cluster-creation.asciidoc[] +include::prebuilt-rule-7-16-4-aws-route-53-domain-transfer-lock-disabled.asciidoc[] +include::prebuilt-rule-7-16-4-aws-route-53-domain-transferred-to-another-account.asciidoc[] +include::prebuilt-rule-7-16-4-aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc[] +include::prebuilt-rule-7-16-4-aws-route-table-created.asciidoc[] +include::prebuilt-rule-7-16-4-aws-route-table-modified-or-deleted.asciidoc[] +include::prebuilt-rule-7-16-4-aws-saml-activity.asciidoc[] +include::prebuilt-rule-7-16-4-aws-root-login-without-mfa.asciidoc[] +include::prebuilt-rule-7-16-4-aws-security-token-service-sts-assumerole-usage.asciidoc[] +include::prebuilt-rule-7-16-4-aws-sts-getsessiontoken-abuse.asciidoc[] +include::prebuilt-rule-7-16-4-aws-iam-assume-role-policy-update.asciidoc[] +include::prebuilt-rule-7-16-4-azure-event-hub-authorization-rule-created-or-updated.asciidoc[] +include::prebuilt-rule-7-16-4-azure-full-network-packet-capture-detected.asciidoc[] +include::prebuilt-rule-7-16-4-azure-key-vault-modified.asciidoc[] +include::prebuilt-rule-7-16-4-azure-storage-account-key-regenerated.asciidoc[] +include::prebuilt-rule-7-16-4-azure-application-credential-modification.asciidoc[] +include::prebuilt-rule-7-16-4-azure-automation-runbook-deleted.asciidoc[] +include::prebuilt-rule-7-16-4-azure-blob-permissions-modification.asciidoc[] +include::prebuilt-rule-7-16-4-azure-diagnostic-settings-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-azure-service-principal-addition.asciidoc[] +include::prebuilt-rule-7-16-4-azure-event-hub-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-azure-firewall-policy-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-azure-frontdoor-web-application-firewall-waf-policy-deleted.asciidoc[] +include::prebuilt-rule-7-16-4-azure-kubernetes-events-deleted.asciidoc[] +include::prebuilt-rule-7-16-4-azure-network-watcher-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-azure-alert-suppression-rule-created-or-modified.asciidoc[] +include::prebuilt-rule-7-16-4-azure-blob-container-access-level-modification.asciidoc[] +include::prebuilt-rule-7-16-4-azure-command-execution-on-virtual-machine.asciidoc[] +include::prebuilt-rule-7-16-4-azure-service-principal-credentials-added.asciidoc[] +include::prebuilt-rule-7-16-4-azure-kubernetes-pods-deleted.asciidoc[] +include::prebuilt-rule-7-16-4-azure-resource-group-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-azure-virtual-network-device-modified-or-deleted.asciidoc[] +include::prebuilt-rule-7-16-4-azure-active-directory-high-risk-sign-in.asciidoc[] +include::prebuilt-rule-7-16-4-azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc[] +include::prebuilt-rule-7-16-4-azure-active-directory-powershell-sign-in.asciidoc[] +include::prebuilt-rule-7-16-4-possible-consent-grant-attack-via-azure-registered-application.asciidoc[] +include::prebuilt-rule-7-16-4-azure-external-guest-user-invitation.asciidoc[] +include::prebuilt-rule-7-16-4-azure-automation-account-created.asciidoc[] +include::prebuilt-rule-7-16-4-azure-automation-runbook-created-or-modified.asciidoc[] +include::prebuilt-rule-7-16-4-azure-automation-webhook-created.asciidoc[] +include::prebuilt-rule-7-16-4-azure-conditional-access-policy-modified.asciidoc[] +include::prebuilt-rule-7-16-4-azure-ad-global-administrator-role-assigned.asciidoc[] +include::prebuilt-rule-7-16-4-azure-global-administrator-role-addition-to-pim-user.asciidoc[] +include::prebuilt-rule-7-16-4-azure-privilege-identity-management-role-modified.asciidoc[] +include::prebuilt-rule-7-16-4-multi-factor-authentication-disabled-for-an-azure-user.asciidoc[] +include::prebuilt-rule-7-16-4-user-added-as-owner-for-azure-application.asciidoc[] +include::prebuilt-rule-7-16-4-user-added-as-owner-for-azure-service-principal.asciidoc[] +include::prebuilt-rule-7-16-4-azure-kubernetes-rolebindings-created.asciidoc[] +include::prebuilt-rule-7-16-4-cyberark-privileged-access-security-error.asciidoc[] +include::prebuilt-rule-7-16-4-cyberark-privileged-access-security-recommended-monitor.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-pub-sub-subscription-creation.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-pub-sub-topic-creation.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-firewall-rule-creation.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-firewall-rule-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-firewall-rule-modification.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-logging-bucket-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-logging-sink-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-pub-sub-subscription-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-pub-sub-topic-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-storage-bucket-configuration-modification.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-storage-bucket-permissions-modification.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-virtual-private-cloud-network-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-virtual-private-cloud-route-creation.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-virtual-private-cloud-route-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-logging-sink-modification.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-iam-role-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-service-account-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-service-account-disabled.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-storage-bucket-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-iam-custom-role-creation.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-iam-service-account-key-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-service-account-key-creation.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-service-account-creation.asciidoc[] +include::prebuilt-rule-7-16-4-gcp-kubernetes-rolebindings-created-or-patched.asciidoc[] +include::prebuilt-rule-7-16-4-application-added-to-google-workspace-domain.asciidoc[] +include::prebuilt-rule-7-16-4-domain-added-to-google-workspace-trusted-domains.asciidoc[] +include::prebuilt-rule-7-16-4-google-workspace-admin-role-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-google-workspace-mfa-enforcement-disabled.asciidoc[] +include::prebuilt-rule-7-16-4-google-workspace-password-policy-modified.asciidoc[] +include::prebuilt-rule-7-16-4-mfa-disabled-for-google-workspace-organization.asciidoc[] +include::prebuilt-rule-7-16-4-google-workspace-admin-role-assigned-to-a-user.asciidoc[] +include::prebuilt-rule-7-16-4-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc[] +include::prebuilt-rule-7-16-4-google-workspace-custom-admin-role-created.asciidoc[] +include::prebuilt-rule-7-16-4-google-workspace-role-modified.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-inbox-forwarding-rule-created.asciidoc[] +include::prebuilt-rule-7-16-4-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc[] +include::prebuilt-rule-7-16-4-potential-password-spraying-of-microsoft-365-user-accounts.asciidoc[] +include::prebuilt-rule-7-16-4-o365-excessive-single-sign-on-logon-errors.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-exchange-dlp-policy-removed.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-exchange-malware-filter-policy-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-exchange-malware-filter-rule-modification.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-exchange-safe-attachment-rule-disabled.asciidoc[] +include::prebuilt-rule-7-16-4-o365-mailbox-audit-logging-bypass.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-exchange-transport-rule-creation.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-exchange-transport-rule-modification.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-potential-ransomware-activity.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-unusual-volume-of-file-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-exchange-anti-phish-policy-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-exchange-anti-phish-rule-modification.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-exchange-safe-link-policy-disabled.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-user-restricted-from-sending-email.asciidoc[] +include::prebuilt-rule-7-16-4-o365-email-reported-by-user-as-malware-or-phish.asciidoc[] +include::prebuilt-rule-7-16-4-onedrive-malware-file-upload.asciidoc[] +include::prebuilt-rule-7-16-4-sharepoint-malware-file-upload.asciidoc[] +include::prebuilt-rule-7-16-4-o365-exchange-suspicious-mailbox-right-delegation.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-exchange-dkim-signing-configuration-disabled.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-exchange-management-group-role-assignment.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-global-administrator-role-assigned.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-teams-custom-application-interaction-allowed.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-teams-external-access-enabled.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-365-teams-guest-access-enabled.asciidoc[] +include::prebuilt-rule-7-16-4-new-or-modified-federation-domain.asciidoc[] +include::prebuilt-rule-7-16-4-attempted-bypass-of-okta-mfa.asciidoc[] +include::prebuilt-rule-7-16-4-attempts-to-brute-force-an-okta-user-account.asciidoc[] +include::prebuilt-rule-7-16-4-potential-abuse-of-repeated-mfa-push-notifications.asciidoc[] +include::prebuilt-rule-7-16-4-okta-brute-force-or-password-spraying-attack.asciidoc[] +include::prebuilt-rule-7-16-4-okta-user-session-impersonation.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-network-zone.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-delete-an-okta-network-zone.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-policy.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-policy-rule.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-delete-an-okta-policy.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-delete-an-okta-policy-rule.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-modify-an-okta-network-zone.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-modify-an-okta-policy.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-modify-an-okta-policy-rule.asciidoc[] +include::prebuilt-rule-7-16-4-high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-revoke-okta-api-token.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-deactivate-an-okta-application.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-delete-an-okta-application.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-modify-an-okta-application.asciidoc[] +include::prebuilt-rule-7-16-4-possible-okta-dos-attack.asciidoc[] +include::prebuilt-rule-7-16-4-unauthorized-access-to-an-okta-application.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-activity-reported-by-okta-user.asciidoc[] +include::prebuilt-rule-7-16-4-threat-detected-by-okta-threatinsight.asciidoc[] +include::prebuilt-rule-7-16-4-administrator-privileges-assigned-to-an-okta-group.asciidoc[] +include::prebuilt-rule-7-16-4-administrator-role-assigned-to-an-okta-user.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-create-okta-api-token.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-deactivate-mfa-for-an-okta-user-account.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-reset-mfa-factors-for-an-okta-user-account.asciidoc[] +include::prebuilt-rule-7-16-4-modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc[] +include::prebuilt-rule-7-16-4-potential-protocol-tunneling-via-earthworm.asciidoc[] +include::prebuilt-rule-7-16-4-potential-openssh-backdoor-logging-activity.asciidoc[] +include::prebuilt-rule-7-16-4-file-made-immutable-by-chattr.asciidoc[] +include::prebuilt-rule-7-16-4-creation-of-hidden-files-and-directories-via-commandline.asciidoc[] +include::prebuilt-rule-7-16-4-creation-of-hidden-shared-object-file.asciidoc[] +include::prebuilt-rule-7-16-4-system-log-file-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc[] +include::prebuilt-rule-7-16-4-bpf-filter-applied-using-tc.asciidoc[] +include::prebuilt-rule-7-16-4-high-number-of-process-terminations.asciidoc[] +include::prebuilt-rule-7-16-4-chkconfig-service-add.asciidoc[] +include::prebuilt-rule-7-16-4-dynamic-linker-copy.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-file-creation-in-etc-for-persistence.asciidoc[] +include::prebuilt-rule-7-16-4-kernel-module-load-via-insmod.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc[] +include::prebuilt-rule-7-16-4-access-of-stored-browser-credentials.asciidoc[] +include::prebuilt-rule-7-16-4-access-to-keychain-credentials-directories.asciidoc[] +include::prebuilt-rule-7-16-4-dumping-of-keychain-content-via-security-command.asciidoc[] +include::prebuilt-rule-7-16-4-keychain-password-retrieval-via-command-line.asciidoc[] +include::prebuilt-rule-7-16-4-prompt-for-credentials-with-osascript.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-remove-file-quarantine-attribute.asciidoc[] +include::prebuilt-rule-7-16-4-potential-privacy-control-bypass-via-tccdb-modification.asciidoc[] +include::prebuilt-rule-7-16-4-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc[] +include::prebuilt-rule-7-16-4-enumeration-of-users-or-groups-via-built-in-commands.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-mount-smb-share-via-command-line.asciidoc[] +include::prebuilt-rule-7-16-4-virtual-private-network-connection-attempt.asciidoc[] +include::prebuilt-rule-7-16-4-creation-of-hidden-login-item-via-apple-script.asciidoc[] +include::prebuilt-rule-7-16-4-emond-rules-creation-or-modification.asciidoc[] +include::prebuilt-rule-7-16-4-creation-of-hidden-launch-agent-or-daemon.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-login-or-logout-hook.asciidoc[] +include::prebuilt-rule-7-16-4-sublime-plugin-or-application-script-modification.asciidoc[] +include::prebuilt-rule-7-16-4-unexpected-child-process-of-macos-screensaver-engine.asciidoc[] +include::prebuilt-rule-7-16-4-screensaver-plist-file-modified-by-unexpected-process.asciidoc[] +include::prebuilt-rule-7-16-4-apple-scripting-execution-with-administrator-privileges.asciidoc[] +include::prebuilt-rule-7-16-4-inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc[] +include::prebuilt-rule-7-16-4-exporting-exchange-mailbox-via-powershell.asciidoc[] +include::prebuilt-rule-7-16-4-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc[] +include::prebuilt-rule-7-16-4-powershell-keylogging-script.asciidoc[] +include::prebuilt-rule-7-16-4-powershell-suspicious-script-with-screenshot-capabilities.asciidoc[] +include::prebuilt-rule-7-16-4-encrypting-files-with-winrar-or-7z.asciidoc[] +include::prebuilt-rule-7-16-4-connection-to-commonly-abused-free-ssl-certificate-providers.asciidoc[] +include::prebuilt-rule-7-16-4-port-forwarding-rule-addition.asciidoc[] +include::prebuilt-rule-7-16-4-potential-remote-desktop-tunneling-detected.asciidoc[] +include::prebuilt-rule-7-16-4-remote-file-download-via-desktopimgdownldr-utility.asciidoc[] +include::prebuilt-rule-7-16-4-remote-file-download-via-mpcmdrun.asciidoc[] +include::prebuilt-rule-7-16-4-remote-file-copy-via-teamviewer.asciidoc[] +include::prebuilt-rule-7-16-4-potential-credential-access-via-windows-utilities.asciidoc[] +include::prebuilt-rule-7-16-4-ntds-or-sam-database-file-copied.asciidoc[] +include::prebuilt-rule-7-16-4-potential-credential-access-via-dcsync.asciidoc[] +include::prebuilt-rule-7-16-4-kerberos-pre-authentication-disabled-for-user.asciidoc[] +include::prebuilt-rule-7-16-4-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc[] +include::prebuilt-rule-7-16-4-credential-acquisition-via-registry-hive-dumping.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-iis-service-account-password-dumped.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-iis-connection-strings-decryption.asciidoc[] +include::prebuilt-rule-7-16-4-kerberos-traffic-from-unusual-process.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-lsass-access-via-malseclogon.asciidoc[] +include::prebuilt-rule-7-16-4-lsass-memory-dump-creation.asciidoc[] +include::prebuilt-rule-7-16-4-lsass-memory-dump-handle-access.asciidoc[] +include::prebuilt-rule-7-16-4-mimikatz-memssp-log-file-detected.asciidoc[] +include::prebuilt-rule-7-16-4-potential-invoke-mimikatz-powershell-script.asciidoc[] +include::prebuilt-rule-7-16-4-modification-of-wdigest-security-provider.asciidoc[] +include::prebuilt-rule-7-16-4-powershell-minidump-script.asciidoc[] +include::prebuilt-rule-7-16-4-powershell-kerberos-ticket-request.asciidoc[] +include::prebuilt-rule-7-16-4-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc[] +include::prebuilt-rule-7-16-4-potential-remote-credential-access-via-registry.asciidoc[] +include::prebuilt-rule-7-16-4-searching-for-saved-credentials-via-vaultcmd.asciidoc[] +include::prebuilt-rule-7-16-4-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc[] +include::prebuilt-rule-7-16-4-potential-shadow-credentials-added-to-ad-object.asciidoc[] +include::prebuilt-rule-7-16-4-user-account-exposed-to-kerberoasting.asciidoc[] +include::prebuilt-rule-7-16-4-potential-credential-access-via-renamed-com-services-dll.asciidoc[] +include::prebuilt-rule-7-16-4-potential-credential-access-via-lsass-memory-dump.asciidoc[] +include::prebuilt-rule-7-16-4-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc[] +include::prebuilt-rule-7-16-4-symbolic-link-to-shadow-copy-created.asciidoc[] +include::prebuilt-rule-7-16-4-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc[] +include::prebuilt-rule-7-16-4-adding-hidden-file-attribute-via-attrib.asciidoc[] +include::prebuilt-rule-7-16-4-modification-of-amsienable-registry-key.asciidoc[] +include::prebuilt-rule-7-16-4-clearing-windows-console-history.asciidoc[] +include::prebuilt-rule-7-16-4-clearing-windows-event-logs.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-process-from-conhost.asciidoc[] +include::prebuilt-rule-7-16-4-creation-or-modification-of-root-certificate.asciidoc[] +include::prebuilt-rule-7-16-4-windows-defender-disabled-via-registry-modification.asciidoc[] +include::prebuilt-rule-7-16-4-windows-defender-exclusions-added-via-powershell.asciidoc[] +include::prebuilt-rule-7-16-4-delete-volume-usn-journal-with-fsutil.asciidoc[] +include::prebuilt-rule-7-16-4-powershell-script-block-logging-disabled.asciidoc[] +include::prebuilt-rule-7-16-4-disable-windows-firewall-rules-via-netsh.asciidoc[] +include::prebuilt-rule-7-16-4-disabling-windows-defender-security-settings-via-powershell.asciidoc[] +include::prebuilt-rule-7-16-4-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc[] +include::prebuilt-rule-7-16-4-dns-over-https-enabled-via-registry.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-net-code-compilation.asciidoc[] +include::prebuilt-rule-7-16-4-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc[] +include::prebuilt-rule-7-16-4-enable-host-network-discovery-via-netsh.asciidoc[] +include::prebuilt-rule-7-16-4-control-panel-process-with-unusual-arguments.asciidoc[] +include::prebuilt-rule-7-16-4-imageload-via-windows-update-auto-update-client.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-build-engine-started-by-an-office-application.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-build-engine-started-by-a-script-process.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-build-engine-started-by-a-system-process.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-build-engine-using-an-alternate-name.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-build-engine-started-an-unusual-process.asciidoc[] +include::prebuilt-rule-7-16-4-potential-dll-sideloading-via-trusted-microsoft-programs.asciidoc[] +include::prebuilt-rule-7-16-4-potential-dll-side-loading-via-microsoft-antimalware-service-executable.asciidoc[] +include::prebuilt-rule-7-16-4-executable-file-creation-with-multiple-extensions.asciidoc[] +include::prebuilt-rule-7-16-4-process-execution-from-an-unusual-directory.asciidoc[] +include::prebuilt-rule-7-16-4-iis-http-logging-disabled.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-endpoint-security-parent-process.asciidoc[] +include::prebuilt-rule-7-16-4-renamed-autoit-scripts-interpreter.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-werfault-child-process.asciidoc[] +include::prebuilt-rule-7-16-4-program-files-directory-masquerading.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-windows-defender-tampering.asciidoc[] +include::prebuilt-rule-7-16-4-ms-office-macro-security-registry-modifications.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-net-reflection-via-powershell.asciidoc[] +include::prebuilt-rule-7-16-4-powershell-suspicious-payload-encoded-and-compressed.asciidoc[] +include::prebuilt-rule-7-16-4-potential-process-injection-via-powershell.asciidoc[] +include::prebuilt-rule-7-16-4-windows-firewall-disabled-via-powershell.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-microsoft-diagnostics-wizard-execution.asciidoc[] +include::prebuilt-rule-7-16-4-scheduled-tasks-at-command-enabled.asciidoc[] +include::prebuilt-rule-7-16-4-potential-secure-file-deletion-via-sdelete-utility.asciidoc[] +include::prebuilt-rule-7-16-4-solarwinds-process-disabling-services-via-registry.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-certutil-commands.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-execution-from-a-mounted-device.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-process-access-via-direct-system-call.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-execution-short-program-name.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-zoom-child-process.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-executable-file-creation-by-a-system-critical-process.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-file-creation-alternate-data-stream.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-process-execution-path-alternate-data-stream.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-child-process-from-a-system-virtual-process.asciidoc[] +include::prebuilt-rule-7-16-4-potential-evasion-via-filter-manager.asciidoc[] +include::prebuilt-rule-7-16-4-signed-proxy-execution-via-ms-work-folders.asciidoc[] +include::prebuilt-rule-7-16-4-adfind-command-activity.asciidoc[] +include::prebuilt-rule-7-16-4-enumeration-of-administrator-accounts.asciidoc[] +include::prebuilt-rule-7-16-4-account-discovery-command-via-system-account.asciidoc[] +include::prebuilt-rule-7-16-4-enumerating-domain-trusts-via-nltest-exe.asciidoc[] +include::prebuilt-rule-7-16-4-windows-network-enumeration.asciidoc[] +include::prebuilt-rule-7-16-4-peripheral-device-discovery.asciidoc[] +include::prebuilt-rule-7-16-4-powershell-suspicious-discovery-related-windows-api-functions.asciidoc[] +include::prebuilt-rule-7-16-4-enumeration-of-privileged-local-groups-membership.asciidoc[] +include::prebuilt-rule-7-16-4-remote-system-discovery-commands.asciidoc[] +include::prebuilt-rule-7-16-4-security-software-discovery-using-wmic.asciidoc[] +include::prebuilt-rule-7-16-4-whoami-process-activity.asciidoc[] +include::prebuilt-rule-7-16-4-command-execution-via-solarwinds-process.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-solarwinds-child-process.asciidoc[] +include::prebuilt-rule-7-16-4-execution-of-com-object-via-xwizard.asciidoc[] +include::prebuilt-rule-7-16-4-svchost-spawning-cmd.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-parent-process-for-cmd-exe.asciidoc[] +include::prebuilt-rule-7-16-4-command-shell-activity-started-via-rundll32.asciidoc[] +include::prebuilt-rule-7-16-4-enumeration-command-spawned-via-wmiprvse.asciidoc[] +include::prebuilt-rule-7-16-4-execution-from-unusual-directory-command-line.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-portable-executable-encoded-in-powershell-script.asciidoc[] +include::prebuilt-rule-7-16-4-powershell-psreflect-script.asciidoc[] +include::prebuilt-rule-7-16-4-execution-via-local-sxs-shared-module.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-cmd-execution-via-wmi.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-wmi-image-load-from-ms-office.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-pdf-reader-child-process.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-powershell-engine-imageload.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-process-execution-via-renamed-psexec-executable.asciidoc[] +include::prebuilt-rule-7-16-4-process-activity-via-compiled-html-file.asciidoc[] +include::prebuilt-rule-7-16-4-conhost-spawned-by-suspicious-parent-process.asciidoc[] +include::prebuilt-rule-7-16-4-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc[] +include::prebuilt-rule-7-16-4-third-party-backup-files-deleted-via-unexpected-process.asciidoc[] +include::prebuilt-rule-7-16-4-deleting-backup-catalogs-with-wbadmin.asciidoc[] +include::prebuilt-rule-7-16-4-modification-of-boot-configuration.asciidoc[] +include::prebuilt-rule-7-16-4-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc[] +include::prebuilt-rule-7-16-4-volume-shadow-copy-deletion-via-powershell.asciidoc[] +include::prebuilt-rule-7-16-4-volume-shadow-copy-deletion-via-wmic.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-html-file-creation.asciidoc[] +include::prebuilt-rule-7-16-4-windows-script-executing-powershell.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-exchange-server-um-writing-suspicious-files.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc[] +include::prebuilt-rule-7-16-4-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-ms-office-child-process.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-ms-outlook-child-process.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-child-process-of-dns-exe.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-file-modification-by-dns-exe.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-explorer-child-process.asciidoc[] +include::prebuilt-rule-7-16-4-potential-remote-desktop-shadowing-activity.asciidoc[] +include::prebuilt-rule-7-16-4-execution-via-tsclient-mountpoint.asciidoc[] +include::prebuilt-rule-7-16-4-mounting-hidden-or-webdav-remote-shares.asciidoc[] +include::prebuilt-rule-7-16-4-rdp-enabled-via-registry.asciidoc[] +include::prebuilt-rule-7-16-4-remote-file-copy-to-a-hidden-share.asciidoc[] +include::prebuilt-rule-7-16-4-service-control-spawned-via-script-interpreter.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-rdp-activex-client-loaded.asciidoc[] +include::prebuilt-rule-7-16-4-lateral-movement-via-startup-folder.asciidoc[] +include::prebuilt-rule-7-16-4-adobe-hijack-persistence.asciidoc[] +include::prebuilt-rule-7-16-4-registry-persistence-via-appcert-dll.asciidoc[] +include::prebuilt-rule-7-16-4-registry-persistence-via-appinit-dll.asciidoc[] +include::prebuilt-rule-7-16-4-creation-of-a-hidden-local-user-account.asciidoc[] +include::prebuilt-rule-7-16-4-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-scheduled-job-creation.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-microsoft-office-addins.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-microsoft-outlook-vba.asciidoc[] +include::prebuilt-rule-7-16-4-krbtgt-delegation-backdoor.asciidoc[] +include::prebuilt-rule-7-16-4-new-activesyncalloweddeviceid-added-via-powershell.asciidoc[] +include::prebuilt-rule-7-16-4-potential-modification-of-accessibility-binaries.asciidoc[] +include::prebuilt-rule-7-16-4-adminsdholder-sdprop-exclusion-added.asciidoc[] +include::prebuilt-rule-7-16-4-startup-persistence-by-a-suspicious-process.asciidoc[] +include::prebuilt-rule-7-16-4-persistent-scripts-in-the-startup-directory.asciidoc[] +include::prebuilt-rule-7-16-4-component-object-model-hijacking.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-execution-via-scheduled-task.asciidoc[] +include::prebuilt-rule-7-16-4-system-shells-via-services.asciidoc[] +include::prebuilt-rule-7-16-4-user-added-to-privileged-group-in-active-directory.asciidoc[] +include::prebuilt-rule-7-16-4-user-account-creation.asciidoc[] +include::prebuilt-rule-7-16-4-potential-application-shimming-via-sdbinst.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-bits-job-notify-cmdline.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-hidden-run-key-detected.asciidoc[] +include::prebuilt-rule-7-16-4-installation-of-security-support-provider.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-update-orchestrator-service-hijack.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-wmi-event-subscription.asciidoc[] +include::prebuilt-rule-7-16-4-webshell-detection-script-process-child-of-common-web-processes.asciidoc[] +include::prebuilt-rule-7-16-4-disabling-user-account-control-via-registry-modification.asciidoc[] +include::prebuilt-rule-7-16-4-startup-logon-script-added-to-group-policy-object.asciidoc[] +include::prebuilt-rule-7-16-4-group-policy-abuse-for-privilege-addition.asciidoc[] +include::prebuilt-rule-7-16-4-scheduled-task-execution-at-scale-via-gpo.asciidoc[] +include::prebuilt-rule-7-16-4-potential-privilege-escalation-via-installerfiletakeover.asciidoc[] +include::prebuilt-rule-7-16-4-privilege-escalation-via-named-pipe-impersonation.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-printspooler-service-executable-file-creation.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-print-spooler-file-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-printspooler-spl-file-created.asciidoc[] +include::prebuilt-rule-7-16-4-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc[] +include::prebuilt-rule-7-16-4-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc[] +include::prebuilt-rule-7-16-4-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc[] +include::prebuilt-rule-7-16-4-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc[] +include::prebuilt-rule-7-16-4-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc[] +include::prebuilt-rule-7-16-4-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc[] +include::prebuilt-rule-7-16-4-bypass-uac-via-event-viewer.asciidoc[] +include::prebuilt-rule-7-16-4-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc[] +include::prebuilt-rule-7-16-4-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-parent-child-relationship.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-print-spooler-child-process.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-service-host-child-process-childless-service.asciidoc[] +include::prebuilt-rule-7-16-4-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc[] +include::prebuilt-rule-7-16-4-windows-service-installed-via-an-unusual-client.asciidoc[] +include::prebuilt-rule-7-16-4-eggshell-backdoor-execution.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-network-connection-attempt-by-root.asciidoc[] +include::prebuilt-rule-7-16-4-potential-dns-tunneling-via-iodine.asciidoc[] +include::prebuilt-rule-7-16-4-nping-process-activity.asciidoc[] +include::prebuilt-rule-7-16-4-netcat-network-activity.asciidoc[] +include::prebuilt-rule-7-16-4-binary-executed-from-shared-memory-directory.asciidoc[] +include::prebuilt-rule-7-16-4-modification-of-openssh-binaries.asciidoc[] +include::prebuilt-rule-7-16-4-potential-shell-via-web-server.asciidoc[] +include::prebuilt-rule-7-16-4-kerberos-cached-credentials-dumping.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-install-root-certificate.asciidoc[] +include::prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.asciidoc[] +include::prebuilt-rule-7-16-4-potential-microsoft-office-sandbox-evasion.asciidoc[] +include::prebuilt-rule-7-16-4-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc[] +include::prebuilt-rule-7-16-4-macos-installer-package-spawns-network-event.asciidoc[] +include::prebuilt-rule-7-16-4-apple-script-execution-followed-by-network-connection.asciidoc[] +include::prebuilt-rule-7-16-4-remote-ssh-login-enabled-via-systemsetup-command.asciidoc[] +include::prebuilt-rule-7-16-4-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc[] +include::prebuilt-rule-7-16-4-authorization-plugin-modification.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-directoryservice-plugin-modification.asciidoc[] +include::prebuilt-rule-7-16-4-persistence-via-folder-action-script.asciidoc[] +include::prebuilt-rule-7-16-4-potential-persistence-via-login-hook.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-calendar-file-modification.asciidoc[] +include::prebuilt-rule-7-16-4-potential-persistence-via-atom-init-script-modification.asciidoc[] +include::prebuilt-rule-7-16-4-execution-with-explicit-credentials-via-scripting.asciidoc[] +include::prebuilt-rule-7-16-4-dns-tunneling.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-dns-activity.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-web-request.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-web-user-agent.asciidoc[] +include::prebuilt-rule-7-16-4-spike-in-failed-logon-events.asciidoc[] +include::prebuilt-rule-7-16-4-spike-in-logon-events.asciidoc[] +include::prebuilt-rule-7-16-4-spike-in-logon-events-from-a-source-ip.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-hour-for-a-user-to-logon.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-source-ip-for-a-user-to-logon-from.asciidoc[] +include::prebuilt-rule-7-16-4-rare-user-logon.asciidoc[] +include::prebuilt-rule-7-16-4-credential-dumping-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-7-16-4-credential-dumping-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-7-16-4-exploit-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-7-16-4-exploit-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-7-16-4-credential-manipulation-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-7-16-4-credential-manipulation-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-7-16-4-permission-theft-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-7-16-4-permission-theft-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-7-16-4-process-injection-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-7-16-4-process-injection-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-7-16-4-network-connection-via-certutil.asciidoc[] +include::prebuilt-rule-7-16-4-potential-credential-access-via-trusted-developer-utility.asciidoc[] +include::prebuilt-rule-7-16-4-installutil-process-making-network-connections.asciidoc[] +include::prebuilt-rule-7-16-4-network-connection-via-signed-binary.asciidoc[] +include::prebuilt-rule-7-16-4-mshta-making-network-connections.asciidoc[] +include::prebuilt-rule-7-16-4-process-termination-followed-by-deletion.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-child-processes-of-rundll32.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-process-creation-calltrace.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-script-object-execution.asciidoc[] +include::prebuilt-rule-7-16-4-suspicious-wmic-xsl-script-execution.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-network-connection-via-dllhost.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-network-connection-via-rundll32.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-process-network-connection.asciidoc[] +include::prebuilt-rule-7-16-4-external-ip-lookup-from-non-browser-process.asciidoc[] +include::prebuilt-rule-7-16-4-network-connection-via-compiled-html-file.asciidoc[] +include::prebuilt-rule-7-16-4-psexec-network-connection.asciidoc[] +include::prebuilt-rule-7-16-4-network-connection-via-registration-utility.asciidoc[] +include::prebuilt-rule-7-16-4-outbound-scheduled-task-activity-via-powershell.asciidoc[] +include::prebuilt-rule-7-16-4-windows-script-interpreter-executing-process-via-wmi.asciidoc[] +include::prebuilt-rule-7-16-4-incoming-dcom-lateral-movement-via-mshta.asciidoc[] +include::prebuilt-rule-7-16-4-direct-outbound-smb-connection.asciidoc[] +include::prebuilt-rule-7-16-4-remotely-started-services-via-rpc.asciidoc[] +include::prebuilt-rule-7-16-4-scheduled-task-created-by-a-windows-script.asciidoc[] +include::prebuilt-rule-7-16-4-account-password-reset-remotely.asciidoc[] +include::prebuilt-rule-7-16-4-dns-activity-to-the-internet.asciidoc[] +include::prebuilt-rule-7-16-4-attempt-to-disable-iptables-or-firewall.asciidoc[] +include::prebuilt-rule-7-16-4-whitespace-padding-in-process-command-line.asciidoc[] +include::prebuilt-rule-7-16-4-file-and-directory-discovery.asciidoc[] +include::prebuilt-rule-7-16-4-unusual-process-execution-temp.asciidoc[] +include::prebuilt-rule-7-16-4-auditd-max-failed-login-attempts.asciidoc[] +include::prebuilt-rule-7-16-4-auditd-login-from-forbidden-location.asciidoc[] +include::prebuilt-rule-7-16-4-auditd-max-login-sessions.asciidoc[] +include::prebuilt-rule-7-16-4-auditd-login-attempt-at-forbidden-time.asciidoc[] +include::prebuilt-rule-7-16-4-potential-privilege-escalation-via-local-kerberos-relay-over-ldap.asciidoc[] +include::prebuilt-rule-7-16-4-strace-process-activity.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rules-7-16-4-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rules-7-16-4-summary.asciidoc new file mode 100644 index 0000000000..1b55925887 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/7-16-4/prebuilt-rules-7-16-4-summary.asciidoc @@ -0,0 +1,1040 @@ +[[prebuilt-rule-7-16-4-prebuilt-rules-7-16-4-summary]] +[role="xpack"] +== Update v7.16.4 + +This section lists all updates associated with version 7.16.4 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access to web applications or internet services as an authenticated user without needing credentials. | new | 5 + +|<> | Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. | new | 7 + +|<> | Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations. | new | 11 + +|<> | Identifies the {agent} has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state. | new | 4 + +|<> | Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder. | new | 8 + +|<> | Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as antivirus or host firewall details. | new | 6 + +|<> | An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware. | new | 5 + +|<> | Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity. | new | 5 + +|<> | Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. | new | 7 + +|<> | The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. | new | 8 + +|<> | This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session. | new | 7 + +|<> | Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. | new | 9 + +|<> | Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. | new | 8 + +|<> | Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). | new | 9 + +|<> | Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. | new | 6 + +|<> | An adversary may attempt to access the secrets in AWS Secrets Manager to steal certificates, credentials, or other sensitive material. | new | 8 + +|<> | Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. | new | 10 + +|<> | Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. | new | 9 + +|<> | Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. | new | 10 + +|<> | Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and/or its workload instances. | new | 9 + +|<> | Identifies an AWS configuration change to stop recording a designated set of resources. | new | 9 + +|<> | Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. | new | 10 + +|<> | Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. | new | 10 + +|<> | Identifies when an ElastiCache security group has been created. | new | 5 + +|<> | Identifies when an ElastiCache security group has been modified or deleted. | new | 5 + +|<> | Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. | new | 10 + +|<> | Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. | new | 9 + +|<> | Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. | new | 10 + +|<> | Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. | new | 11 + +|<> | Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. | new | 5 + +|<> | An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. | new | 8 + +|<> | Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. | new | 5 + +|<> | Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. | new | 4 + +|<> | Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. | new | 6 + +|<> | Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. | new | 6 + +|<> | Identifies an update to an AWS log trail setting that specifies the delivery of log files. | new | 9 + +|<> | Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. | new | 10 + +|<> | Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. | new | 10 + +|<> | Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. | new | 9 + +|<> | Detects when an EFS file system or mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the file system, or the adversary will be unable to delete the file system. | new | 6 + +|<> | Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. | new | 8 + +|<> | Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. | new | 9 + +|<> | Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. | new | 6 + +|<> | Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. | new | 10 + +|<> | Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. | new | 8 + +|<> | Identifies a successful login to the AWS Management Console by the Root user. | new | 8 + +|<> | Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. | new | 9 + +|<> | Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. | new | 9 + +|<> | A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery. | new | 12 + +|<> | A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. | new | 10 + +|<> | A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). | new | 10 + +|<> | A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). | new | 12 + +|<> | A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data. | new | 10 + +|<> | Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. | new | 10 + +|<> | Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. | new | 7 + +|<> | Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. | new | 10 + +|<> | Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. | new | 10 + +|<> | Identifies the creation of an Amazon Relational Database Service (RDS) Security group. | new | 6 + +|<> | Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. | new | 6 + +|<> | Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. | new | 4 + +|<> | Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. | new | 4 + +|<> | Identifies when a request has been made to transfer a Route 53 domain to another AWS account. | new | 4 + +|<> | Identifies when a Route 53 private hosted zone has been associated with a virtual private cloud (VPC). | new | 4 + +|<> | Identifies when an AWS Route Table has been created. | new | 6 + +|<> | Identifies when an AWS Route Table has been modified or deleted. | new | 6 + +|<> | Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. | new | 5 + +|<> | Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. | new | 8 + +|<> | Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. | new | 5 + +|<> | Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. | new | 4 + +|<> | Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. | new | 8 + +|<> | Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application. | new | 8 + +|<> | Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. | new | 4 + +|<> | Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users. | new | 8 + +|<> | Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources. | new | 8 + +|<> | Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment. | new | 7 + +|<> | Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion. | new | 8 + +|<> | Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss. | new | 4 + +|<> | Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses. | new | 8 + +|<> | Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity. | new | 7 + +|<> | Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection. | new | 9 + +|<> | Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers to their objective. | new | 9 + +|<> | Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective. | new | 5 + +|<> | Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. | new | 7 + +|<> | Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses. | new | 9 + +|<> | Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility. | new | 5 + +|<> | Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously. | new | 8 + +|<> | Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but does not allow accessing them or the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles, may be able to execute commands on a VM as well. | new | 8 + +|<> | Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements. | new | 5 + +|<> | Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment. | new | 6 + +|<> | Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data. | new | 8 + +|<> | Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router. | new | 5 + +|<> | Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher suspicion that the user or sign-in is compromised. | new | 6 + +|<> | Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics. | new | 4 + +|<> | Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role. | new | 7 + +|<> | Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents. | new | 8 + +|<> | Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability. | new | 8 + +|<> | Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment. | new | 8 + +|<> | Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment. | new | 8 + +|<> | Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code. | new | 8 + +|<> | Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls. | new | 9 + +|<> | In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities, such as the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. | new | 5 + +|<> | Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global Administrator role can read and modify any administrative setting in your Azure AD organization. | new | 8 + +|<> | Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls. | new | 8 + +|<> | Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account. | new | 8 + +|<> | Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account. | new | 8 + +|<> | Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant. | new | 8 + +|<> | Identifies the creation of role bindings or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles. | new | 4 + +|<> | Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code. | new | 4 + +|<> | Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code. | new | 4 + +|<> | Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application. | new | 9 + +|<> | Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers. | new | 9 + +|<> | Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit. | new | 8 + +|<> | Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls. | new | 8 + +|<> | Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit. | new | 8 + +|<> | Identifies a logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection. | new | 10 + +|<> | Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, it's compared to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a logging sink to evade detection. | new | 9 + +|<> | Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application. | new | 9 + +|<> | Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline. | new | 9 + +|<> | Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment. | new | 8 + +|<> | Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss. | new | 8 + +|<> | Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations. | new | 8 + +|<> | Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment. | new | 10 + +|<> | Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment. | new | 8 + +|<> | Identifies a modification to a logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a logging sink to exfiltrate logs to a different export destination. | new | 8 + +|<> | Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users. | new | 9 + +|<> | Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations. | new | 8 + +|<> | Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations. | new | 8 + +|<> | Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations. | new | 9 + +|<> | Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized. | new | 9 + +|<> | Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly. | new | 9 + +|<> | Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection. | new | 8 + +|<> | Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection. | new | 8 + +|<> | Identifies the creation or patching of potentially malicious role bindings. Users can use role bindings and cluster role bindings to assign roles to Kubernetes subjects (users, groups, or service accounts). | new | 5 + +|<> | Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data. | new | 12 + +|<> | Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls. | new | 12 + +|<> | Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators. | new | 12 + +|<> | Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls. | new | 13 + +|<> | Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. | new | 13 + +|<> | Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. | new | 13 + +|<> | Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target’s environment. | new | 12 + +|<> | Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. | new | 12 + +|<> | Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. | new | 12 + +|<> | Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. | new | 12 + +|<> | Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges. | new | 7 + +|<> | Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. | new | 10 + +|<> | Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts. | new | 9 + +|<> | Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token. | new | 7 + +|<> | Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring. | new | 8 + +|<> | Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection. | new | 8 + +|<> | Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection. | new | 8 + +|<> | Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses. | new | 8 + +|<> | Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account. | new | 6 + +|<> | Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data. | new | 9 + +|<> | Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses. | new | 8 + +|<> | Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware. | new | 6 + +|<> | Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security. | new | 5 + +|<> | Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks. | new | 8 + +|<> | Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks. | new | 8 + +|<> | Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user. | new | 8 + +|<> | Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center. | new | 5 + +|<> | Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks. | new | 4 + +|<> | Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment. | new | 4 + +|<> | Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment. | new | 5 + +|<> | Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms. | new | 5 + +|<> | Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed. | new | 9 + +|<> | Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment. | new | 8 + +|<> | In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. | new | 5 + +|<> | Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment. | new | 8 + +|<> | Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment. | new | 8 + +|<> | Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment. | new | 8 + +|<> | Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider. | new | 5 + +|<> | Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application. | new | 9 + +|<> | Identifies when an Okta user account is locked out 3 times within a 3-hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts. | new | 8 + +|<> | Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access. | new | 5 + +|<> | Identifies a high number of failed Okta user authentication attempts from a single IP address, which could indicate a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. | new | 8 + +|<> | A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected. | new | 4 + +|<> | Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. | new | 7 + +|<> | Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. | new | 7 + +|<> | Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. | new | 9 + +|<> | Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls. | new | 9 + +|<> | Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. | new | 9 + +|<> | Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls. | new | 7 + +|<> | Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. | new | 9 + +|<> | Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. | new | 9 + +|<> | Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls. | new | 9 + +|<> | Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection. | new | 8 + +|<> | Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations. | new | 9 + +|<> | Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. | new | 7 + +|<> | Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. | new | 7 + +|<> | Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. | new | 7 + +|<> | Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service. | new | 9 + +|<> | Identifies unauthorized access attempts to Okta applications. | new | 5 + +|<> | Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network. | new | 9 + +|<> | Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks. | new | 9 + +|<> | Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization. | new | 9 + +|<> | Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment. | new | 7 + +|<> | Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies. | new | 9 + +|<> | Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account. | new | 9 + +|<> | Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment. | new | 9 + +|<> | Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls. | new | 9 + +|<> | Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems. | new | 5 + +|<> | Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration. | new | 5 + +|<> | Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). | new | 3 + +|<