forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcommand_and_control_common_webservices.toml
115 lines (103 loc) · 3.53 KB
/
command_and_control_common_webservices.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
[metadata]
creation_date = "2020/11/04"
maturity = "production"
updated_date = "2022/02/14"
[rule]
author = ["Elastic"]
description = """
Adversaries may implement command and control communications that use common web services in order to hide their
activity. This attack technique is typically targeted to an organization and uses web services common to the victim
network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically
targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Connection to Commonly Abused Web Services"
risk_score = 21
rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
network where network.protocol == "dns" and
process.name != null and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
/* Add new WebSvc domains here */
dns.question.name :
(
"raw.githubusercontent.*",
"*.pastebin.*",
"*drive.google.*",
"*docs.live.*",
"*api.dropboxapi.*",
"*dropboxusercontent.*",
"*onedrive.*",
"*4shared.*",
"*.file.io",
"*filebin.net",
"*slack-files.com",
"*ghostbin.*",
"*ngrok.*",
"*portmap.*",
"*serveo.net",
"*localtunnel.me",
"*pagekite.me",
"*localxpose.io",
"*notabug.org",
"rawcdn.githack.*",
"paste.nrecom.net",
"zerobin.net",
"controlc.com",
"requestbin.net",
"cdn.discordapp.com",
"discordapp.com",
"discord.com"
) and
/* Insert noisy false positives here */
not process.executable :
(
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\System32\\WWAHost.exe",
"?:\\Windows\\System32\\smartscreen.exe",
"?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe",
"?:\\Windows\\system32\\mobsync.exe",
"?:\\Windows\\SysWOW64\\mobsync.exe",
"?:\\Users\\*\\AppData\\Local\\Discord\\-*\\Discord.exe"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1102"
name = "Web Service"
reference = "https://attack.mitre.org/techniques/T1102/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1567"
name = "Exfiltration Over Web Service"
reference = "https://attack.mitre.org/techniques/T1567/"
[[rule.threat.technique.subtechnique]]
id = "T1567.001"
name = "Exfiltration to Code Repository"
reference = "https://attack.mitre.org/techniques/T1567/001/"
[[rule.threat.technique.subtechnique]]
id = "T1567.002"
name = "Exfiltration to Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1567/002/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"